1/*
2 * SSLv3/TLSv1 client-side functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20#include "common.h"
21
22#if defined(MBEDTLS_SSL_CLI_C)
23
24#include "mbedtls/platform.h"
25
26#include "mbedtls/ssl.h"
27#include "mbedtls/ssl_internal.h"
28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
30#include "mbedtls/constant_time.h"
31
32#if defined(MBEDTLS_USE_PSA_CRYPTO)
33#include "mbedtls/psa_util.h"
34#include "psa/crypto.h"
35#endif /* MBEDTLS_USE_PSA_CRYPTO */
36
37#include <string.h>
38
39#include <stdint.h>
40
41#if defined(MBEDTLS_HAVE_TIME)
42#include "mbedtls/platform_time.h"
43#endif
44
45#if defined(MBEDTLS_SSL_SESSION_TICKETS)
46#include "mbedtls/platform_util.h"
47#endif
48
49#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
50MBEDTLS_CHECK_RETURN_CRITICAL
51static int ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
52{
53 if (conf->psk_identity == NULL ||
54 conf->psk_identity_len == 0) {
55 return 0;
56 }
57
58 if (conf->psk != NULL && conf->psk_len != 0) {
59 return 1;
60 }
61
62#if defined(MBEDTLS_USE_PSA_CRYPTO)
63 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
64 return 1;
65 }
66#endif /* MBEDTLS_USE_PSA_CRYPTO */
67
68 return 0;
69}
70
71#if defined(MBEDTLS_USE_PSA_CRYPTO)
72MBEDTLS_CHECK_RETURN_CRITICAL
73static int ssl_conf_has_static_raw_psk(mbedtls_ssl_config const *conf)
74{
75 if (conf->psk_identity == NULL ||
76 conf->psk_identity_len == 0) {
77 return 0;
78 }
79
80 if (conf->psk != NULL && conf->psk_len != 0) {
81 return 1;
82 }
83
84 return 0;
85}
86#endif /* MBEDTLS_USE_PSA_CRYPTO */
87
88#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
89
90#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
91MBEDTLS_CHECK_RETURN_CRITICAL
92static int ssl_write_hostname_ext(mbedtls_ssl_context *ssl,
93 unsigned char *buf,
94 const unsigned char *end,
95 size_t *olen)
96{
97 unsigned char *p = buf;
98 size_t hostname_len;
99
100 *olen = 0;
101
102 if (ssl->hostname == NULL) {
103 return 0;
104 }
105
106 MBEDTLS_SSL_DEBUG_MSG(3,
107 ("client hello, adding server name extension: %s",
108 ssl->hostname));
109
110 hostname_len = strlen(ssl->hostname);
111
112 MBEDTLS_SSL_CHK_BUF_PTR(p, end, hostname_len + 9);
113
114 /*
115 * Sect. 3, RFC 6066 (TLS Extensions Definitions)
116 *
117 * In order to provide any of the server names, clients MAY include an
118 * extension of type "server_name" in the (extended) client hello. The
119 * "extension_data" field of this extension SHALL contain
120 * "ServerNameList" where:
121 *
122 * struct {
123 * NameType name_type;
124 * select (name_type) {
125 * case host_name: HostName;
126 * } name;
127 * } ServerName;
128 *
129 * enum {
130 * host_name(0), (255)
131 * } NameType;
132 *
133 * opaque HostName<1..2^16-1>;
134 *
135 * struct {
136 * ServerName server_name_list<1..2^16-1>
137 * } ServerNameList;
138 *
139 */
140 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SERVERNAME, p, 0);
141 p += 2;
142
143 MBEDTLS_PUT_UINT16_BE(hostname_len + 5, p, 0);
144 p += 2;
145
146 MBEDTLS_PUT_UINT16_BE(hostname_len + 3, p, 0);
147 p += 2;
148
149 *p++ = MBEDTLS_BYTE_0(MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME);
150
151 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
152 p += 2;
153
154 memcpy(p, ssl->hostname, hostname_len);
155
156 *olen = hostname_len + 9;
157
158 return 0;
159}
160#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
161
162#if defined(MBEDTLS_SSL_RENEGOTIATION)
163MBEDTLS_CHECK_RETURN_CRITICAL
164static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
165 unsigned char *buf,
166 const unsigned char *end,
167 size_t *olen)
168{
169 unsigned char *p = buf;
170
171 *olen = 0;
172
173 /* We're always including a TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the
174 * initial ClientHello, in which case also adding the renegotiation
175 * info extension is NOT RECOMMENDED as per RFC 5746 Section 3.4. */
176 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
177 return 0;
178 }
179
180 MBEDTLS_SSL_DEBUG_MSG(3,
181 ("client hello, adding renegotiation extension"));
182
183 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5 + ssl->verify_data_len);
184
185 /*
186 * Secure renegotiation
187 */
188 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_RENEGOTIATION_INFO, p, 0);
189 p += 2;
190
191 *p++ = 0x00;
192 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len + 1);
193 *p++ = MBEDTLS_BYTE_0(ssl->verify_data_len);
194
195 memcpy(p, ssl->own_verify_data, ssl->verify_data_len);
196
197 *olen = 5 + ssl->verify_data_len;
198
199 return 0;
200}
201#endif /* MBEDTLS_SSL_RENEGOTIATION */
202
203/*
204 * Only if we handle at least one key exchange that needs signatures.
205 */
206#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
207 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
208MBEDTLS_CHECK_RETURN_CRITICAL
209static int ssl_write_signature_algorithms_ext(mbedtls_ssl_context *ssl,
210 unsigned char *buf,
211 const unsigned char *end,
212 size_t *olen)
213{
214 unsigned char *p = buf;
215 size_t sig_alg_len = 0;
216 const int *md;
217
218#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
219 unsigned char *sig_alg_list = buf + 6;
220#endif
221
222 *olen = 0;
223
224 if (ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
225 return 0;
226 }
227
228 MBEDTLS_SSL_DEBUG_MSG(3,
229 ("client hello, adding signature_algorithms extension"));
230
231 if (ssl->conf->sig_hashes == NULL) {
232 return MBEDTLS_ERR_SSL_BAD_CONFIG;
233 }
234
235 for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
236#if defined(MBEDTLS_ECDSA_C)
237 sig_alg_len += 2;
238#endif
239#if defined(MBEDTLS_RSA_C)
240 sig_alg_len += 2;
241#endif
242 if (sig_alg_len > MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN) {
243 MBEDTLS_SSL_DEBUG_MSG(3,
244 ("length in bytes of sig-hash-alg extension too big"));
245 return MBEDTLS_ERR_SSL_BAD_CONFIG;
246 }
247 }
248
249 /* Empty signature algorithms list, this is a configuration error. */
250 if (sig_alg_len == 0) {
251 return MBEDTLS_ERR_SSL_BAD_CONFIG;
252 }
253
254 MBEDTLS_SSL_CHK_BUF_PTR(p, end, sig_alg_len + 6);
255
256 /*
257 * Prepare signature_algorithms extension (TLS 1.2)
258 */
259 sig_alg_len = 0;
260
261 for (md = ssl->conf->sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
262#if defined(MBEDTLS_ECDSA_C)
263 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
264 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_ECDSA;
265#endif
266#if defined(MBEDTLS_RSA_C)
267 sig_alg_list[sig_alg_len++] = mbedtls_ssl_hash_from_md_alg(*md);
268 sig_alg_list[sig_alg_len++] = MBEDTLS_SSL_SIG_RSA;
269#endif
270 }
271
272 /*
273 * enum {
274 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
275 * sha512(6), (255)
276 * } HashAlgorithm;
277 *
278 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
279 * SignatureAlgorithm;
280 *
281 * struct {
282 * HashAlgorithm hash;
283 * SignatureAlgorithm signature;
284 * } SignatureAndHashAlgorithm;
285 *
286 * SignatureAndHashAlgorithm
287 * supported_signature_algorithms<2..2^16-2>;
288 */
289 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, p, 0);
290 p += 2;
291
292 MBEDTLS_PUT_UINT16_BE(sig_alg_len + 2, p, 0);
293 p += 2;
294
295 MBEDTLS_PUT_UINT16_BE(sig_alg_len, p, 0);
296 p += 2;
297
298 *olen = 6 + sig_alg_len;
299
300 return 0;
301}
302#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
303 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
304
305#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
306 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
307MBEDTLS_CHECK_RETURN_CRITICAL
308static int ssl_write_supported_elliptic_curves_ext(mbedtls_ssl_context *ssl,
309 unsigned char *buf,
310 const unsigned char *end,
311 size_t *olen)
312{
313 unsigned char *p = buf;
314 unsigned char *elliptic_curve_list = p + 6;
315 size_t elliptic_curve_len = 0;
316 const mbedtls_ecp_curve_info *info;
317 const mbedtls_ecp_group_id *grp_id;
318
319 *olen = 0;
320
321 MBEDTLS_SSL_DEBUG_MSG(3,
322 ("client hello, adding supported_elliptic_curves extension"));
323
324 if (ssl->conf->curve_list == NULL) {
325 return MBEDTLS_ERR_SSL_BAD_CONFIG;
326 }
327
328 for (grp_id = ssl->conf->curve_list;
329 *grp_id != MBEDTLS_ECP_DP_NONE;
330 grp_id++) {
331 info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
332 if (info == NULL) {
333 MBEDTLS_SSL_DEBUG_MSG(1,
334 ("invalid curve in ssl configuration"));
335 return MBEDTLS_ERR_SSL_BAD_CONFIG;
336 }
337 elliptic_curve_len += 2;
338
339 if (elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN) {
340 MBEDTLS_SSL_DEBUG_MSG(3,
341 ("malformed supported_elliptic_curves extension in config"));
342 return MBEDTLS_ERR_SSL_BAD_CONFIG;
343 }
344 }
345
346 /* Empty elliptic curve list, this is a configuration error. */
347 if (elliptic_curve_len == 0) {
348 return MBEDTLS_ERR_SSL_BAD_CONFIG;
349 }
350
351 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + elliptic_curve_len);
352
353 elliptic_curve_len = 0;
354
355 for (grp_id = ssl->conf->curve_list;
356 *grp_id != MBEDTLS_ECP_DP_NONE;
357 grp_id++) {
358 info = mbedtls_ecp_curve_info_from_grp_id(*grp_id);
359 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1(info->tls_id);
360 elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0(info->tls_id);
361 }
362
363 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0);
364 p += 2;
365
366 MBEDTLS_PUT_UINT16_BE(elliptic_curve_len + 2, p, 0);
367 p += 2;
368
369 MBEDTLS_PUT_UINT16_BE(elliptic_curve_len, p, 0);
370 p += 2;
371
372 *olen = 6 + elliptic_curve_len;
373
374 return 0;
375}
376
377MBEDTLS_CHECK_RETURN_CRITICAL
378static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
379 unsigned char *buf,
380 const unsigned char *end,
381 size_t *olen)
382{
383 unsigned char *p = buf;
384 (void) ssl; /* ssl used for debugging only */
385
386 *olen = 0;
387
388 MBEDTLS_SSL_DEBUG_MSG(3,
389 ("client hello, adding supported_point_formats extension"));
390 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
391
392 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, p, 0);
393 p += 2;
394
395 *p++ = 0x00;
396 *p++ = 2;
397
398 *p++ = 1;
399 *p++ = MBEDTLS_ECP_PF_UNCOMPRESSED;
400
401 *olen = 6;
402
403 return 0;
404}
405#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
406 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
407
408#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
409MBEDTLS_CHECK_RETURN_CRITICAL
410static int ssl_write_ecjpake_kkpp_ext(mbedtls_ssl_context *ssl,
411 unsigned char *buf,
412 const unsigned char *end,
413 size_t *olen)
414{
415 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
416 unsigned char *p = buf;
417 size_t kkpp_len;
418
419 *olen = 0;
420
421 /* Skip costly extension if we can't use EC J-PAKE anyway */
422 if (mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
423 return 0;
424 }
425
426 MBEDTLS_SSL_DEBUG_MSG(3,
427 ("client hello, adding ecjpake_kkpp extension"));
428
429 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
430
431 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0);
432 p += 2;
433
434 /*
435 * We may need to send ClientHello multiple times for Hello verification.
436 * We don't want to compute fresh values every time (both for performance
437 * and consistency reasons), so cache the extension content.
438 */
439 if (ssl->handshake->ecjpake_cache == NULL ||
440 ssl->handshake->ecjpake_cache_len == 0) {
441 MBEDTLS_SSL_DEBUG_MSG(3, ("generating new ecjpake parameters"));
442
443 ret = mbedtls_ecjpake_write_round_one(&ssl->handshake->ecjpake_ctx,
444 p + 2, end - p - 2, &kkpp_len,
445 ssl->conf->f_rng, ssl->conf->p_rng);
446 if (ret != 0) {
447 MBEDTLS_SSL_DEBUG_RET(1,
448 "mbedtls_ecjpake_write_round_one", ret);
449 return ret;
450 }
451
452 ssl->handshake->ecjpake_cache = mbedtls_calloc(1, kkpp_len);
453 if (ssl->handshake->ecjpake_cache == NULL) {
454 MBEDTLS_SSL_DEBUG_MSG(1, ("allocation failed"));
455 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
456 }
457
458 memcpy(ssl->handshake->ecjpake_cache, p + 2, kkpp_len);
459 ssl->handshake->ecjpake_cache_len = kkpp_len;
460 } else {
461 MBEDTLS_SSL_DEBUG_MSG(3, ("re-using cached ecjpake parameters"));
462
463 kkpp_len = ssl->handshake->ecjpake_cache_len;
464 MBEDTLS_SSL_CHK_BUF_PTR(p + 2, end, kkpp_len);
465
466 memcpy(p + 2, ssl->handshake->ecjpake_cache, kkpp_len);
467 }
468
469 MBEDTLS_PUT_UINT16_BE(kkpp_len, p, 0);
470 p += 2;
471
472 *olen = kkpp_len + 4;
473
474 return 0;
475}
476#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
477
478#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
479MBEDTLS_CHECK_RETURN_CRITICAL
480static int ssl_write_cid_ext(mbedtls_ssl_context *ssl,
481 unsigned char *buf,
482 const unsigned char *end,
483 size_t *olen)
484{
485 unsigned char *p = buf;
486 size_t ext_len;
487
488 /*
489 * Quoting draft-ietf-tls-dtls-connection-id-05
490 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
491 *
492 * struct {
493 * opaque cid<0..2^8-1>;
494 * } ConnectionId;
495 */
496
497 *olen = 0;
498 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
499 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
500 return 0;
501 }
502 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding CID extension"));
503
504 /* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
505 * which is at most 255, so the increment cannot overflow. */
506 MBEDTLS_SSL_CHK_BUF_PTR(p, end, (unsigned) (ssl->own_cid_len + 5));
507
508 /* Add extension ID + size */
509 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_CID, p, 0);
510 p += 2;
511 ext_len = (size_t) ssl->own_cid_len + 1;
512 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
513 p += 2;
514
515 *p++ = (uint8_t) ssl->own_cid_len;
516 memcpy(p, ssl->own_cid, ssl->own_cid_len);
517
518 *olen = ssl->own_cid_len + 5;
519
520 return 0;
521}
522#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
523
524#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
525MBEDTLS_CHECK_RETURN_CRITICAL
526static int ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
527 unsigned char *buf,
528 const unsigned char *end,
529 size_t *olen)
530{
531 unsigned char *p = buf;
532
533 *olen = 0;
534
535 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE) {
536 return 0;
537 }
538
539 MBEDTLS_SSL_DEBUG_MSG(3,
540 ("client hello, adding max_fragment_length extension"));
541
542 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 5);
543
544 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, p, 0);
545 p += 2;
546
547 *p++ = 0x00;
548 *p++ = 1;
549
550 *p++ = ssl->conf->mfl_code;
551
552 *olen = 5;
553
554 return 0;
555}
556#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
557
558#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
559MBEDTLS_CHECK_RETURN_CRITICAL
560static int ssl_write_truncated_hmac_ext(mbedtls_ssl_context *ssl,
561 unsigned char *buf,
562 const unsigned char *end,
563 size_t *olen)
564{
565 unsigned char *p = buf;
566
567 *olen = 0;
568
569 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED) {
570 return 0;
571 }
572
573 MBEDTLS_SSL_DEBUG_MSG(3,
574 ("client hello, adding truncated_hmac extension"));
575
576 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
577
578 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_TRUNCATED_HMAC, p, 0);
579 p += 2;
580
581 *p++ = 0x00;
582 *p++ = 0x00;
583
584 *olen = 4;
585
586 return 0;
587}
588#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
589
590#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
591MBEDTLS_CHECK_RETURN_CRITICAL
592static int ssl_write_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
593 unsigned char *buf,
594 const unsigned char *end,
595 size_t *olen)
596{
597 unsigned char *p = buf;
598
599 *olen = 0;
600
601 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
602 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
603 return 0;
604 }
605
606 MBEDTLS_SSL_DEBUG_MSG(3,
607 ("client hello, adding encrypt_then_mac extension"));
608
609 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
610
611 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, p, 0);
612 p += 2;
613
614 *p++ = 0x00;
615 *p++ = 0x00;
616
617 *olen = 4;
618
619 return 0;
620}
621#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
622
623#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
624MBEDTLS_CHECK_RETURN_CRITICAL
625static int ssl_write_extended_ms_ext(mbedtls_ssl_context *ssl,
626 unsigned char *buf,
627 const unsigned char *end,
628 size_t *olen)
629{
630 unsigned char *p = buf;
631
632 *olen = 0;
633
634 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
635 ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0) {
636 return 0;
637 }
638
639 MBEDTLS_SSL_DEBUG_MSG(3,
640 ("client hello, adding extended_master_secret extension"));
641
642 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4);
643
644 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, p, 0);
645 p += 2;
646
647 *p++ = 0x00;
648 *p++ = 0x00;
649
650 *olen = 4;
651
652 return 0;
653}
654#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
655
656#if defined(MBEDTLS_SSL_SESSION_TICKETS)
657MBEDTLS_CHECK_RETURN_CRITICAL
658static int ssl_write_session_ticket_ext(mbedtls_ssl_context *ssl,
659 unsigned char *buf,
660 const unsigned char *end,
661 size_t *olen)
662{
663 unsigned char *p = buf;
664 size_t tlen = ssl->session_negotiate->ticket_len;
665
666 *olen = 0;
667
668 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
669 return 0;
670 }
671
672 MBEDTLS_SSL_DEBUG_MSG(3,
673 ("client hello, adding session ticket extension"));
674
675 /* The addition is safe here since the ticket length is 16 bit. */
676 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 4 + tlen);
677
678 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SESSION_TICKET, p, 0);
679 p += 2;
680
681 MBEDTLS_PUT_UINT16_BE(tlen, p, 0);
682 p += 2;
683
684 *olen = 4;
685
686 if (ssl->session_negotiate->ticket == NULL || tlen == 0) {
687 return 0;
688 }
689
690 MBEDTLS_SSL_DEBUG_MSG(3,
691 ("sending session ticket of length %" MBEDTLS_PRINTF_SIZET, tlen));
692
693 memcpy(p, ssl->session_negotiate->ticket, tlen);
694
695 *olen += tlen;
696
697 return 0;
698}
699#endif /* MBEDTLS_SSL_SESSION_TICKETS */
700
701#if defined(MBEDTLS_SSL_ALPN)
702MBEDTLS_CHECK_RETURN_CRITICAL
703static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
704 unsigned char *buf,
705 const unsigned char *end,
706 size_t *olen)
707{
708 unsigned char *p = buf;
709 size_t alpnlen = 0;
710 const char **cur;
711
712 *olen = 0;
713
714 if (ssl->conf->alpn_list == NULL) {
715 return 0;
716 }
717
718 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding alpn extension"));
719
720 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
721 alpnlen += strlen(*cur) + 1;
722 }
723
724 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6 + alpnlen);
725
726 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
727 p += 2;
728
729 /*
730 * opaque ProtocolName<1..2^8-1>;
731 *
732 * struct {
733 * ProtocolName protocol_name_list<2..2^16-1>
734 * } ProtocolNameList;
735 */
736
737 /* Skip writing extension and list length for now */
738 p += 4;
739
740 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
741 /*
742 * mbedtls_ssl_conf_set_alpn_protocols() checked that the length of
743 * protocol names is less than 255.
744 */
745 *p = (unsigned char) strlen(*cur);
746 memcpy(p + 1, *cur, *p);
747 p += 1 + *p;
748 }
749
750 *olen = p - buf;
751
752 /* List length = olen - 2 (ext_type) - 2 (ext_len) - 2 (list_len) */
753 MBEDTLS_PUT_UINT16_BE(*olen - 6, buf, 4);
754
755 /* Extension length = olen - 2 (ext_type) - 2 (ext_len) */
756 MBEDTLS_PUT_UINT16_BE(*olen - 4, buf, 2);
757
758 return 0;
759}
760#endif /* MBEDTLS_SSL_ALPN */
761
762#if defined(MBEDTLS_SSL_DTLS_SRTP)
763MBEDTLS_CHECK_RETURN_CRITICAL
764static int ssl_write_use_srtp_ext(mbedtls_ssl_context *ssl,
765 unsigned char *buf,
766 const unsigned char *end,
767 size_t *olen)
768{
769 unsigned char *p = buf;
770 size_t protection_profiles_index = 0, ext_len = 0;
771 uint16_t mki_len = 0, profile_value = 0;
772
773 *olen = 0;
774
775 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
776 (ssl->conf->dtls_srtp_profile_list == NULL) ||
777 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
778 return 0;
779 }
780
781 /* RFC 5764 section 4.1.1
782 * uint8 SRTPProtectionProfile[2];
783 *
784 * struct {
785 * SRTPProtectionProfiles SRTPProtectionProfiles;
786 * opaque srtp_mki<0..255>;
787 * } UseSRTPData;
788 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
789 */
790 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
791 mki_len = ssl->dtls_srtp_info.mki_len;
792 }
793 /* Extension length = 2 bytes for profiles length,
794 * ssl->conf->dtls_srtp_profile_list_len * 2 (each profile is 2 bytes length ),
795 * 1 byte for srtp_mki vector length and the mki_len value
796 */
797 ext_len = 2 + 2 * (ssl->conf->dtls_srtp_profile_list_len) + 1 + mki_len;
798
799 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, adding use_srtp extension"));
800
801 /* Check there is room in the buffer for the extension + 4 bytes
802 * - the extension tag (2 bytes)
803 * - the extension length (2 bytes)
804 */
805 MBEDTLS_SSL_CHK_BUF_PTR(p, end, ext_len + 4);
806
807 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_USE_SRTP, p, 0);
808 p += 2;
809
810 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
811 p += 2;
812
813 /* protection profile length: 2*(ssl->conf->dtls_srtp_profile_list_len) */
814 /* micro-optimization:
815 * the list size is limited to MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH
816 * which is lower than 127, so the upper byte of the length is always 0
817 * For the documentation, the more generic code is left in comments
818 * *p++ = (unsigned char)( ( ( 2 * ssl->conf->dtls_srtp_profile_list_len )
819 * >> 8 ) & 0xFF );
820 */
821 *p++ = 0;
822 *p++ = MBEDTLS_BYTE_0(2 * ssl->conf->dtls_srtp_profile_list_len);
823
824 for (protection_profiles_index = 0;
825 protection_profiles_index < ssl->conf->dtls_srtp_profile_list_len;
826 protection_profiles_index++) {
827 profile_value = mbedtls_ssl_check_srtp_profile_value
828 (ssl->conf->dtls_srtp_profile_list[protection_profiles_index]);
829 if (profile_value != MBEDTLS_TLS_SRTP_UNSET) {
830 MBEDTLS_SSL_DEBUG_MSG(3, ("ssl_write_use_srtp_ext, add profile: %04x",
831 profile_value));
832 MBEDTLS_PUT_UINT16_BE(profile_value, p, 0);
833 p += 2;
834 } else {
835 /*
836 * Note: we shall never arrive here as protection profiles
837 * is checked by mbedtls_ssl_conf_dtls_srtp_protection_profiles function
838 */
839 MBEDTLS_SSL_DEBUG_MSG(3,
840 ("client hello, "
841 "illegal DTLS-SRTP protection profile %d",
842 ssl->conf->dtls_srtp_profile_list[protection_profiles_index]
843 ));
844 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
845 }
846 }
847
848 *p++ = mki_len & 0xFF;
849
850 if (mki_len != 0) {
851 memcpy(p, ssl->dtls_srtp_info.mki_value, mki_len);
852 /*
853 * Increment p to point to the current position.
854 */
855 p += mki_len;
856 MBEDTLS_SSL_DEBUG_BUF(3, "sending mki", ssl->dtls_srtp_info.mki_value,
857 ssl->dtls_srtp_info.mki_len);
858 }
859
860 /*
861 * total extension length: extension type (2 bytes)
862 * + extension length (2 bytes)
863 * + protection profile length (2 bytes)
864 * + 2 * number of protection profiles
865 * + srtp_mki vector length(1 byte)
866 * + mki value
867 */
868 *olen = p - buf;
869
870 return 0;
871}
872#endif /* MBEDTLS_SSL_DTLS_SRTP */
873
874/*
875 * Generate random bytes for ClientHello
876 */
877MBEDTLS_CHECK_RETURN_CRITICAL
878static int ssl_generate_random(mbedtls_ssl_context *ssl)
879{
880 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
881 unsigned char *p = ssl->handshake->randbytes;
882#if defined(MBEDTLS_HAVE_TIME)
883 mbedtls_time_t t;
884#endif
885
886 /*
887 * When responding to a verify request, MUST reuse random (RFC 6347 4.2.1)
888 */
889#if defined(MBEDTLS_SSL_PROTO_DTLS)
890 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
891 ssl->handshake->verify_cookie != NULL) {
892 return 0;
893 }
894#endif
895
896#if defined(MBEDTLS_HAVE_TIME)
897 t = mbedtls_time(NULL);
898 MBEDTLS_PUT_UINT32_BE(t, p, 0);
899 p += 4;
900
901 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, current time: %" MBEDTLS_PRINTF_LONGLONG,
902 (long long) t));
903#else
904 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 4)) != 0) {
905 return ret;
906 }
907
908 p += 4;
909#endif /* MBEDTLS_HAVE_TIME */
910
911 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p, 28)) != 0) {
912 return ret;
913 }
914
915 return 0;
916}
917
918/**
919 * \brief Validate cipher suite against config in SSL context.
920 *
921 * \param suite_info cipher suite to validate
922 * \param ssl SSL context
923 * \param min_minor_ver Minimal minor version to accept a cipher suite
924 * \param max_minor_ver Maximal minor version to accept a cipher suite
925 *
926 * \return 0 if valid, else 1
927 */
928MBEDTLS_CHECK_RETURN_CRITICAL
929static int ssl_validate_ciphersuite(
930 const mbedtls_ssl_ciphersuite_t *suite_info,
931 const mbedtls_ssl_context *ssl,
932 int min_minor_ver, int max_minor_ver)
933{
934 (void) ssl;
935 if (suite_info == NULL) {
936 return 1;
937 }
938
939 if (suite_info->min_minor_ver > max_minor_ver ||
940 suite_info->max_minor_ver < min_minor_ver) {
941 return 1;
942 }
943
944#if defined(MBEDTLS_SSL_PROTO_DTLS)
945 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
946 (suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS)) {
947 return 1;
948 }
949#endif
950
951#if defined(MBEDTLS_ARC4_C)
952 if (ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
953 suite_info->cipher == MBEDTLS_CIPHER_ARC4_128) {
954 return 1;
955 }
956#endif
957
958#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
959 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
960 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) {
961 return 1;
962 }
963#endif
964
965 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
966#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
967 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
968 ssl_conf_has_static_psk(ssl->conf) == 0) {
969 return 1;
970 }
971#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
972
973 return 0;
974}
975
976MBEDTLS_CHECK_RETURN_CRITICAL
977static int ssl_write_client_hello(mbedtls_ssl_context *ssl)
978{
979 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
980 size_t i, n, olen, ext_len = 0;
981
982 unsigned char *buf;
983 unsigned char *p, *q;
984 const unsigned char *end;
985
986 unsigned char offer_compress;
987 const int *ciphersuites;
988 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
989#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
990 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
991 int uses_ec = 0;
992#endif
993
994 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client hello"));
995
996 if (ssl->conf->f_rng == NULL) {
997 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
998 return MBEDTLS_ERR_SSL_NO_RNG;
999 }
1000
1001 int renegotiating = 0;
1002#if defined(MBEDTLS_SSL_RENEGOTIATION)
1003 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1004 renegotiating = 1;
1005 }
1006#endif
1007 if (!renegotiating) {
1008 ssl->major_ver = ssl->conf->min_major_ver;
1009 ssl->minor_ver = ssl->conf->min_minor_ver;
1010 }
1011
1012 if (ssl->conf->max_major_ver == 0) {
1013 MBEDTLS_SSL_DEBUG_MSG(1,
1014 (
1015 "configured max major version is invalid, consider using mbedtls_ssl_config_defaults()"));
1016 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1017 }
1018
1019 buf = ssl->out_msg;
1020 end = buf + MBEDTLS_SSL_OUT_CONTENT_LEN;
1021
1022 /*
1023 * Check if there's enough space for the first part of the ClientHello
1024 * consisting of the 38 bytes described below, the session identifier (at
1025 * most 32 bytes) and its length (1 byte).
1026 *
1027 * Use static upper bounds instead of the actual values
1028 * to allow the compiler to optimize this away.
1029 */
1030 MBEDTLS_SSL_CHK_BUF_PTR(buf, end, 38 + 1 + 32);
1031
1032 /*
1033 * The 38 first bytes of the ClientHello:
1034 * 0 . 0 handshake type (written later)
1035 * 1 . 3 handshake length (written later)
1036 * 4 . 5 highest version supported
1037 * 6 . 9 current UNIX time
1038 * 10 . 37 random bytes
1039 *
1040 * The current UNIX time (4 bytes) and following 28 random bytes are written
1041 * by ssl_generate_random() into ssl->handshake->randbytes buffer and then
1042 * copied from there into the output buffer.
1043 */
1044
1045 p = buf + 4;
1046 mbedtls_ssl_write_version(ssl->conf->max_major_ver,
1047 ssl->conf->max_minor_ver,
1048 ssl->conf->transport, p);
1049 p += 2;
1050
1051 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, max version: [%d:%d]",
1052 buf[4], buf[5]));
1053
1054 if ((ret = ssl_generate_random(ssl)) != 0) {
1055 MBEDTLS_SSL_DEBUG_RET(1, "ssl_generate_random", ret);
1056 return ret;
1057 }
1058
1059 memcpy(p, ssl->handshake->randbytes, 32);
1060 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes", p, 32);
1061 p += 32;
1062
1063 /*
1064 * 38 . 38 session id length
1065 * 39 . 39+n session id
1066 * 39+n . 39+n DTLS only: cookie length (1 byte)
1067 * 40+n . .. DTLS only: cookie
1068 * .. . .. ciphersuitelist length (2 bytes)
1069 * .. . .. ciphersuitelist
1070 * .. . .. compression methods length (1 byte)
1071 * .. . .. compression methods
1072 * .. . .. extensions length (2 bytes)
1073 * .. . .. extensions
1074 */
1075 n = ssl->session_negotiate->id_len;
1076
1077 if (n < 16 || n > 32 ||
1078#if defined(MBEDTLS_SSL_RENEGOTIATION)
1079 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
1080#endif
1081 ssl->handshake->resume == 0) {
1082 n = 0;
1083 }
1084
1085#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1086 /*
1087 * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
1088 * generate and include a Session ID in the TLS ClientHello."
1089 */
1090 if (!renegotiating) {
1091 if (ssl->session_negotiate->ticket != NULL &&
1092 ssl->session_negotiate->ticket_len != 0) {
1093 ret = ssl->conf->f_rng(ssl->conf->p_rng,
1094 ssl->session_negotiate->id, 32);
1095
1096 if (ret != 0) {
1097 return ret;
1098 }
1099
1100 ssl->session_negotiate->id_len = n = 32;
1101 }
1102 }
1103#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1104
1105 /*
1106 * The first check of the output buffer size above (
1107 * MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 38 + 1 + 32 );)
1108 * has checked that there is enough space in the output buffer for the
1109 * session identifier length byte and the session identifier (n <= 32).
1110 */
1111 *p++ = (unsigned char) n;
1112
1113 for (i = 0; i < n; i++) {
1114 *p++ = ssl->session_negotiate->id[i];
1115 }
1116
1117 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
1118 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, session id", buf + 39, n);
1119
1120 /*
1121 * With 'n' being the length of the session identifier
1122 *
1123 * 39+n . 39+n DTLS only: cookie length (1 byte)
1124 * 40+n . .. DTLS only: cookie
1125 * .. . .. ciphersuitelist length (2 bytes)
1126 * .. . .. ciphersuitelist
1127 * .. . .. compression methods length (1 byte)
1128 * .. . .. compression methods
1129 * .. . .. extensions length (2 bytes)
1130 * .. . .. extensions
1131 */
1132
1133 /*
1134 * DTLS cookie
1135 */
1136#if defined(MBEDTLS_SSL_PROTO_DTLS)
1137 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1138 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 1);
1139
1140 if (ssl->handshake->verify_cookie == NULL) {
1141 MBEDTLS_SSL_DEBUG_MSG(3, ("no verify cookie to send"));
1142 *p++ = 0;
1143 } else {
1144 MBEDTLS_SSL_DEBUG_BUF(3, "client hello, cookie",
1145 ssl->handshake->verify_cookie,
1146 ssl->handshake->verify_cookie_len);
1147
1148 *p++ = ssl->handshake->verify_cookie_len;
1149
1150 MBEDTLS_SSL_CHK_BUF_PTR(p, end,
1151 ssl->handshake->verify_cookie_len);
1152 memcpy(p, ssl->handshake->verify_cookie,
1153 ssl->handshake->verify_cookie_len);
1154 p += ssl->handshake->verify_cookie_len;
1155 }
1156 }
1157#endif
1158
1159 /*
1160 * Ciphersuite list
1161 */
1162 ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
1163
1164 /* Skip writing ciphersuite length for now */
1165 n = 0;
1166 q = p;
1167
1168 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1169 p += 2;
1170
1171 for (i = 0; ciphersuites[i] != 0; i++) {
1172 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuites[i]);
1173
1174 if (ssl_validate_ciphersuite(ciphersuite_info, ssl,
1175 ssl->conf->min_minor_ver,
1176 ssl->conf->max_minor_ver) != 0) {
1177 continue;
1178 }
1179
1180 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, add ciphersuite: %#04x (%s)",
1181 (unsigned int) ciphersuites[i], ciphersuite_info->name));
1182
1183#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1184 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1185 uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
1186#endif
1187
1188 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1189
1190 n++;
1191 MBEDTLS_PUT_UINT16_BE(ciphersuites[i], p, 0);
1192 p += 2;
1193 }
1194
1195 MBEDTLS_SSL_DEBUG_MSG(3,
1196 ("client hello, got %" MBEDTLS_PRINTF_SIZET
1197 " ciphersuites (excluding SCSVs)", n));
1198
1199 /*
1200 * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
1201 */
1202 if (!renegotiating) {
1203 MBEDTLS_SSL_DEBUG_MSG(3, ("adding EMPTY_RENEGOTIATION_INFO_SCSV"));
1204 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1205 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0);
1206 p += 2;
1207 n++;
1208 }
1209
1210 /* Some versions of OpenSSL don't handle it correctly if not at end */
1211#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
1212 if (ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK) {
1213 MBEDTLS_SSL_DEBUG_MSG(3, ("adding FALLBACK_SCSV"));
1214
1215 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1216 MBEDTLS_PUT_UINT16_BE(MBEDTLS_SSL_FALLBACK_SCSV_VALUE, p, 0);
1217 p += 2;
1218 n++;
1219 }
1220#endif
1221
1222 *q++ = (unsigned char) (n >> 7);
1223 *q++ = (unsigned char) (n << 1);
1224
1225#if defined(MBEDTLS_ZLIB_SUPPORT)
1226 offer_compress = 1;
1227#else
1228 offer_compress = 0;
1229#endif
1230
1231 /*
1232 * We don't support compression with DTLS right now: if many records come
1233 * in the same datagram, uncompressing one could overwrite the next one.
1234 * We don't want to add complexity for handling that case unless there is
1235 * an actual need for it.
1236 */
1237#if defined(MBEDTLS_SSL_PROTO_DTLS)
1238 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1239 offer_compress = 0;
1240 }
1241#endif
1242
1243 if (offer_compress) {
1244 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 2));
1245 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d %d",
1246 MBEDTLS_SSL_COMPRESS_DEFLATE,
1247 MBEDTLS_SSL_COMPRESS_NULL));
1248
1249 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 3);
1250 *p++ = 2;
1251 *p++ = MBEDTLS_SSL_COMPRESS_DEFLATE;
1252 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1253 } else {
1254 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress len.: %d", 1));
1255 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, compress alg.: %d",
1256 MBEDTLS_SSL_COMPRESS_NULL));
1257
1258 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1259 *p++ = 1;
1260 *p++ = MBEDTLS_SSL_COMPRESS_NULL;
1261 }
1262
1263 /* First write extensions, then the total length */
1264
1265 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
1266
1267#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1268 if ((ret = ssl_write_hostname_ext(ssl, p + 2 + ext_len,
1269 end, &olen)) != 0) {
1270 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_hostname_ext", ret);
1271 return ret;
1272 }
1273 ext_len += olen;
1274#endif
1275
1276 /* Note that TLS_EMPTY_RENEGOTIATION_INFO_SCSV is always added
1277 * even if MBEDTLS_SSL_RENEGOTIATION is not defined. */
1278#if defined(MBEDTLS_SSL_RENEGOTIATION)
1279 if ((ret = ssl_write_renegotiation_ext(ssl, p + 2 + ext_len,
1280 end, &olen)) != 0) {
1281 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_renegotiation_ext", ret);
1282 return ret;
1283 }
1284 ext_len += olen;
1285#endif
1286
1287#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1288 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1289 if ((ret = ssl_write_signature_algorithms_ext(ssl, p + 2 + ext_len,
1290 end, &olen)) != 0) {
1291 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_signature_algorithms_ext", ret);
1292 return ret;
1293 }
1294 ext_len += olen;
1295#endif
1296
1297#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1298 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1299 if (uses_ec) {
1300 if ((ret = ssl_write_supported_elliptic_curves_ext(ssl, p + 2 + ext_len,
1301 end, &olen)) != 0) {
1302 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_elliptic_curves_ext", ret);
1303 return ret;
1304 }
1305 ext_len += olen;
1306
1307 if ((ret = ssl_write_supported_point_formats_ext(ssl, p + 2 + ext_len,
1308 end, &olen)) != 0) {
1309 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_supported_point_formats_ext", ret);
1310 return ret;
1311 }
1312 ext_len += olen;
1313 }
1314#endif
1315
1316#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1317 if ((ret = ssl_write_ecjpake_kkpp_ext(ssl, p + 2 + ext_len,
1318 end, &olen)) != 0) {
1319 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_ecjpake_kkpp_ext", ret);
1320 return ret;
1321 }
1322 ext_len += olen;
1323#endif
1324
1325#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1326 if ((ret = ssl_write_cid_ext(ssl, p + 2 + ext_len, end, &olen)) != 0) {
1327 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_cid_ext", ret);
1328 return ret;
1329 }
1330 ext_len += olen;
1331#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1332
1333#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1334 if ((ret = ssl_write_max_fragment_length_ext(ssl, p + 2 + ext_len,
1335 end, &olen)) != 0) {
1336 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_max_fragment_length_ext", ret);
1337 return ret;
1338 }
1339 ext_len += olen;
1340#endif
1341
1342#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1343 if ((ret = ssl_write_truncated_hmac_ext(ssl, p + 2 + ext_len,
1344 end, &olen)) != 0) {
1345 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_truncated_hmac_ext", ret);
1346 return ret;
1347 }
1348 ext_len += olen;
1349#endif
1350
1351#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1352 if ((ret = ssl_write_encrypt_then_mac_ext(ssl, p + 2 + ext_len,
1353 end, &olen)) != 0) {
1354 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_encrypt_then_mac_ext", ret);
1355 return ret;
1356 }
1357 ext_len += olen;
1358#endif
1359
1360#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1361 if ((ret = ssl_write_extended_ms_ext(ssl, p + 2 + ext_len,
1362 end, &olen)) != 0) {
1363 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_extended_ms_ext", ret);
1364 return ret;
1365 }
1366 ext_len += olen;
1367#endif
1368
1369#if defined(MBEDTLS_SSL_ALPN)
1370 if ((ret = ssl_write_alpn_ext(ssl, p + 2 + ext_len,
1371 end, &olen)) != 0) {
1372 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_alpn_ext", ret);
1373 return ret;
1374 }
1375 ext_len += olen;
1376#endif
1377
1378#if defined(MBEDTLS_SSL_DTLS_SRTP)
1379 if ((ret = ssl_write_use_srtp_ext(ssl, p + 2 + ext_len,
1380 end, &olen)) != 0) {
1381 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_use_srtp_ext", ret);
1382 return ret;
1383 }
1384 ext_len += olen;
1385#endif
1386
1387#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1388 if ((ret = ssl_write_session_ticket_ext(ssl, p + 2 + ext_len,
1389 end, &olen)) != 0) {
1390 MBEDTLS_SSL_DEBUG_RET(1, "ssl_write_session_ticket_ext", ret);
1391 return ret;
1392 }
1393 ext_len += olen;
1394#endif
1395
1396 /* olen unused if all extensions are disabled */
1397 ((void) olen);
1398
1399 MBEDTLS_SSL_DEBUG_MSG(3, ("client hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
1400 ext_len));
1401
1402 if (ext_len > 0) {
1403 /* No need to check for space here, because the extension
1404 * writing functions already took care of that. */
1405 MBEDTLS_PUT_UINT16_BE(ext_len, p, 0);
1406 p += 2 + ext_len;
1407 }
1408
1409 ssl->out_msglen = p - buf;
1410 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1411 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_HELLO;
1412
1413 ssl->state++;
1414
1415#if defined(MBEDTLS_SSL_PROTO_DTLS)
1416 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1417 mbedtls_ssl_send_flight_completed(ssl);
1418 }
1419#endif
1420
1421 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
1422 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
1423 return ret;
1424 }
1425
1426#if defined(MBEDTLS_SSL_PROTO_DTLS)
1427 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
1428 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
1429 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
1430 return ret;
1431 }
1432#endif /* MBEDTLS_SSL_PROTO_DTLS */
1433
1434 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client hello"));
1435
1436 return 0;
1437}
1438
1439MBEDTLS_CHECK_RETURN_CRITICAL
1440static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
1441 const unsigned char *buf,
1442 size_t len)
1443{
1444#if defined(MBEDTLS_SSL_RENEGOTIATION)
1445 if (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE) {
1446 /* Check verify-data in constant-time. The length OTOH is no secret */
1447 if (len != 1 + ssl->verify_data_len * 2 ||
1448 buf[0] != ssl->verify_data_len * 2 ||
1449 mbedtls_ct_memcmp(buf + 1,
1450 ssl->own_verify_data, ssl->verify_data_len) != 0 ||
1451 mbedtls_ct_memcmp(buf + 1 + ssl->verify_data_len,
1452 ssl->peer_verify_data, ssl->verify_data_len) != 0) {
1453 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching renegotiation info"));
1454 mbedtls_ssl_send_alert_message(
1455 ssl,
1456 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1457 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1458 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1459 }
1460 } else
1461#endif /* MBEDTLS_SSL_RENEGOTIATION */
1462 {
1463 if (len != 1 || buf[0] != 0x00) {
1464 MBEDTLS_SSL_DEBUG_MSG(1,
1465 ("non-zero length renegotiation info"));
1466 mbedtls_ssl_send_alert_message(
1467 ssl,
1468 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1469 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1470 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1471 }
1472
1473 ssl->secure_renegotiation = MBEDTLS_SSL_SECURE_RENEGOTIATION;
1474 }
1475
1476 return 0;
1477}
1478
1479#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
1480MBEDTLS_CHECK_RETURN_CRITICAL
1481static int ssl_parse_max_fragment_length_ext(mbedtls_ssl_context *ssl,
1482 const unsigned char *buf,
1483 size_t len)
1484{
1485 /*
1486 * server should use the extension only if we did,
1487 * and if so the server's value should match ours (and len is always 1)
1488 */
1489 if (ssl->conf->mfl_code == MBEDTLS_SSL_MAX_FRAG_LEN_NONE ||
1490 len != 1 ||
1491 buf[0] != ssl->conf->mfl_code) {
1492 MBEDTLS_SSL_DEBUG_MSG(1,
1493 ("non-matching max fragment length extension"));
1494 mbedtls_ssl_send_alert_message(
1495 ssl,
1496 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1497 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1498 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1499 }
1500
1501 return 0;
1502}
1503#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
1504
1505#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
1506MBEDTLS_CHECK_RETURN_CRITICAL
1507static int ssl_parse_truncated_hmac_ext(mbedtls_ssl_context *ssl,
1508 const unsigned char *buf,
1509 size_t len)
1510{
1511 if (ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
1512 len != 0) {
1513 MBEDTLS_SSL_DEBUG_MSG(1,
1514 ("non-matching truncated HMAC extension"));
1515 mbedtls_ssl_send_alert_message(
1516 ssl,
1517 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1518 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1519 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1520 }
1521
1522 ((void) buf);
1523
1524 ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
1525
1526 return 0;
1527}
1528#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
1529
1530#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1531MBEDTLS_CHECK_RETURN_CRITICAL
1532static int ssl_parse_cid_ext(mbedtls_ssl_context *ssl,
1533 const unsigned char *buf,
1534 size_t len)
1535{
1536 size_t peer_cid_len;
1537
1538 if ( /* CID extension only makes sense in DTLS */
1539 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
1540 /* The server must only send the CID extension if we have offered it. */
1541 ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
1542 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension unexpected"));
1543 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1544 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1545 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1546 }
1547
1548 if (len == 0) {
1549 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1550 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1551 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1552 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1553 }
1554
1555 peer_cid_len = *buf++;
1556 len--;
1557
1558 if (peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX) {
1559 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1560 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1561 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1562 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1563 }
1564
1565 if (len != peer_cid_len) {
1566 MBEDTLS_SSL_DEBUG_MSG(1, ("CID extension invalid"));
1567 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1568 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1569 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1570 }
1571
1572 ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
1573 ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
1574 memcpy(ssl->handshake->peer_cid, buf, peer_cid_len);
1575
1576 MBEDTLS_SSL_DEBUG_MSG(3, ("Use of CID extension negotiated"));
1577 MBEDTLS_SSL_DEBUG_BUF(3, "Server CID", buf, peer_cid_len);
1578
1579 return 0;
1580}
1581#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1582
1583#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1584MBEDTLS_CHECK_RETURN_CRITICAL
1585static int ssl_parse_encrypt_then_mac_ext(mbedtls_ssl_context *ssl,
1586 const unsigned char *buf,
1587 size_t len)
1588{
1589 if (ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
1590 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1591 len != 0) {
1592 MBEDTLS_SSL_DEBUG_MSG(1,
1593 ("non-matching encrypt-then-MAC extension"));
1594 mbedtls_ssl_send_alert_message(
1595 ssl,
1596 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1597 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1598 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1599 }
1600
1601 ((void) buf);
1602
1603 ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
1604
1605 return 0;
1606}
1607#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1608
1609#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1610MBEDTLS_CHECK_RETURN_CRITICAL
1611static int ssl_parse_extended_ms_ext(mbedtls_ssl_context *ssl,
1612 const unsigned char *buf,
1613 size_t len)
1614{
1615 if (ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
1616 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
1617 len != 0) {
1618 MBEDTLS_SSL_DEBUG_MSG(1,
1619 ("non-matching extended master secret extension"));
1620 mbedtls_ssl_send_alert_message(
1621 ssl,
1622 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1623 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1624 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1625 }
1626
1627 ((void) buf);
1628
1629 ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
1630
1631 return 0;
1632}
1633#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1634
1635#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1636MBEDTLS_CHECK_RETURN_CRITICAL
1637static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
1638 const unsigned char *buf,
1639 size_t len)
1640{
1641 if (ssl->conf->session_tickets == MBEDTLS_SSL_SESSION_TICKETS_DISABLED ||
1642 len != 0) {
1643 MBEDTLS_SSL_DEBUG_MSG(1,
1644 ("non-matching session ticket extension"));
1645 mbedtls_ssl_send_alert_message(
1646 ssl,
1647 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1648 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1649 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1650 }
1651
1652 ((void) buf);
1653
1654 ssl->handshake->new_session_ticket = 1;
1655
1656 return 0;
1657}
1658#endif /* MBEDTLS_SSL_SESSION_TICKETS */
1659
1660#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
1661 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1662MBEDTLS_CHECK_RETURN_CRITICAL
1663static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
1664 const unsigned char *buf,
1665 size_t len)
1666{
1667 size_t list_size;
1668 const unsigned char *p;
1669
1670 if (len == 0 || (size_t) (buf[0] + 1) != len) {
1671 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
1672 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1673 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1674 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1675 }
1676 list_size = buf[0];
1677
1678 p = buf + 1;
1679 while (list_size > 0) {
1680 if (p[0] == MBEDTLS_ECP_PF_UNCOMPRESSED ||
1681 p[0] == MBEDTLS_ECP_PF_COMPRESSED) {
1682#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
1683 ssl->handshake->ecdh_ctx.point_format = p[0];
1684#endif
1685#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1686 ssl->handshake->ecjpake_ctx.point_format = p[0];
1687#endif
1688 MBEDTLS_SSL_DEBUG_MSG(4, ("point format selected: %d", p[0]));
1689 return 0;
1690 }
1691
1692 list_size--;
1693 p++;
1694 }
1695
1696 MBEDTLS_SSL_DEBUG_MSG(1, ("no point format in common"));
1697 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1698 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1699 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1700}
1701#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
1702 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1703
1704#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1705MBEDTLS_CHECK_RETURN_CRITICAL
1706static int ssl_parse_ecjpake_kkpp(mbedtls_ssl_context *ssl,
1707 const unsigned char *buf,
1708 size_t len)
1709{
1710 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1711
1712 if (ssl->handshake->ciphersuite_info->key_exchange !=
1713 MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
1714 MBEDTLS_SSL_DEBUG_MSG(3, ("skip ecjpake kkpp extension"));
1715 return 0;
1716 }
1717
1718 /* If we got here, we no longer need our cached extension */
1719 mbedtls_free(ssl->handshake->ecjpake_cache);
1720 ssl->handshake->ecjpake_cache = NULL;
1721 ssl->handshake->ecjpake_cache_len = 0;
1722
1723 if ((ret = mbedtls_ecjpake_read_round_one(&ssl->handshake->ecjpake_ctx,
1724 buf, len)) != 0) {
1725 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_one", ret);
1726 mbedtls_ssl_send_alert_message(
1727 ssl,
1728 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1729 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1730 return ret;
1731 }
1732
1733 return 0;
1734}
1735#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1736
1737#if defined(MBEDTLS_SSL_ALPN)
1738MBEDTLS_CHECK_RETURN_CRITICAL
1739static int ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
1740 const unsigned char *buf, size_t len)
1741{
1742 size_t list_len, name_len;
1743 const char **p;
1744
1745 /* If we didn't send it, the server shouldn't send it */
1746 if (ssl->conf->alpn_list == NULL) {
1747 MBEDTLS_SSL_DEBUG_MSG(1, ("non-matching ALPN extension"));
1748 mbedtls_ssl_send_alert_message(
1749 ssl,
1750 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1751 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT);
1752 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1753 }
1754
1755 /*
1756 * opaque ProtocolName<1..2^8-1>;
1757 *
1758 * struct {
1759 * ProtocolName protocol_name_list<2..2^16-1>
1760 * } ProtocolNameList;
1761 *
1762 * the "ProtocolNameList" MUST contain exactly one "ProtocolName"
1763 */
1764
1765 /* Min length is 2 (list_len) + 1 (name_len) + 1 (name) */
1766 if (len < 4) {
1767 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1768 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1769 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1770 }
1771
1772 list_len = (buf[0] << 8) | buf[1];
1773 if (list_len != len - 2) {
1774 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1775 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1776 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1777 }
1778
1779 name_len = buf[2];
1780 if (name_len != list_len - 1) {
1781 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1782 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1783 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1784 }
1785
1786 /* Check that the server chosen protocol was in our list and save it */
1787 for (p = ssl->conf->alpn_list; *p != NULL; p++) {
1788 if (name_len == strlen(*p) &&
1789 memcmp(buf + 3, *p, name_len) == 0) {
1790 ssl->alpn_chosen = *p;
1791 return 0;
1792 }
1793 }
1794
1795 MBEDTLS_SSL_DEBUG_MSG(1, ("ALPN extension: no matching protocol"));
1796 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1797 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1798 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1799}
1800#endif /* MBEDTLS_SSL_ALPN */
1801
1802#if defined(MBEDTLS_SSL_DTLS_SRTP)
1803MBEDTLS_CHECK_RETURN_CRITICAL
1804static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
1805 const unsigned char *buf,
1806 size_t len)
1807{
1808 mbedtls_ssl_srtp_profile server_protection = MBEDTLS_TLS_SRTP_UNSET;
1809 size_t i, mki_len = 0;
1810 uint16_t server_protection_profile_value = 0;
1811
1812 /* If use_srtp is not configured, just ignore the extension */
1813 if ((ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) ||
1814 (ssl->conf->dtls_srtp_profile_list == NULL) ||
1815 (ssl->conf->dtls_srtp_profile_list_len == 0)) {
1816 return 0;
1817 }
1818
1819 /* RFC 5764 section 4.1.1
1820 * uint8 SRTPProtectionProfile[2];
1821 *
1822 * struct {
1823 * SRTPProtectionProfiles SRTPProtectionProfiles;
1824 * opaque srtp_mki<0..255>;
1825 * } UseSRTPData;
1826
1827 * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
1828 *
1829 */
1830 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED) {
1831 mki_len = ssl->dtls_srtp_info.mki_len;
1832 }
1833
1834 /*
1835 * Length is 5 + optional mki_value : one protection profile length (2 bytes)
1836 * + protection profile (2 bytes)
1837 * + mki_len(1 byte)
1838 * and optional srtp_mki
1839 */
1840 if ((len < 5) || (len != (buf[4] + 5u))) {
1841 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1842 }
1843
1844 /*
1845 * get the server protection profile
1846 */
1847
1848 /*
1849 * protection profile length must be 0x0002 as we must have only
1850 * one protection profile in server Hello
1851 */
1852 if ((buf[0] != 0) || (buf[1] != 2)) {
1853 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1854 }
1855
1856 server_protection_profile_value = (buf[2] << 8) | buf[3];
1857 server_protection = mbedtls_ssl_check_srtp_profile_value(
1858 server_protection_profile_value);
1859 if (server_protection != MBEDTLS_TLS_SRTP_UNSET) {
1860 MBEDTLS_SSL_DEBUG_MSG(3, ("found srtp profile: %s",
1861 mbedtls_ssl_get_srtp_profile_as_string(
1862 server_protection)));
1863 }
1864
1865 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = MBEDTLS_TLS_SRTP_UNSET;
1866
1867 /*
1868 * Check we have the server profile in our list
1869 */
1870 for (i = 0; i < ssl->conf->dtls_srtp_profile_list_len; i++) {
1871 if (server_protection == ssl->conf->dtls_srtp_profile_list[i]) {
1872 ssl->dtls_srtp_info.chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profile_list[i];
1873 MBEDTLS_SSL_DEBUG_MSG(3, ("selected srtp profile: %s",
1874 mbedtls_ssl_get_srtp_profile_as_string(
1875 server_protection)));
1876 break;
1877 }
1878 }
1879
1880 /* If no match was found : server problem, it shall never answer with incompatible profile */
1881 if (ssl->dtls_srtp_info.chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
1882 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1883 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
1884 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1885 }
1886
1887 /* If server does not use mki in its reply, make sure the client won't keep
1888 * one as negotiated */
1889 if (len == 5) {
1890 ssl->dtls_srtp_info.mki_len = 0;
1891 }
1892
1893 /*
1894 * RFC5764:
1895 * If the client detects a nonzero-length MKI in the server's response
1896 * that is different than the one the client offered, then the client
1897 * MUST abort the handshake and SHOULD send an invalid_parameter alert.
1898 */
1899 if (len > 5 && (buf[4] != mki_len ||
1900 (memcmp(ssl->dtls_srtp_info.mki_value, &buf[5], mki_len)))) {
1901 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1902 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
1903 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1904 }
1905#if defined(MBEDTLS_DEBUG_C)
1906 if (len > 5) {
1907 MBEDTLS_SSL_DEBUG_BUF(3, "received mki", ssl->dtls_srtp_info.mki_value,
1908 ssl->dtls_srtp_info.mki_len);
1909 }
1910#endif
1911 return 0;
1912}
1913#endif /* MBEDTLS_SSL_DTLS_SRTP */
1914
1915/*
1916 * Parse HelloVerifyRequest. Only called after verifying the HS type.
1917 */
1918#if defined(MBEDTLS_SSL_PROTO_DTLS)
1919MBEDTLS_CHECK_RETURN_CRITICAL
1920static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
1921{
1922 const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
1923 int major_ver, minor_ver;
1924 unsigned char cookie_len;
1925
1926 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse hello verify request"));
1927
1928 /* Check that there is enough room for:
1929 * - 2 bytes of version
1930 * - 1 byte of cookie_len
1931 */
1932 if (mbedtls_ssl_hs_hdr_len(ssl) + 3 > ssl->in_msglen) {
1933 MBEDTLS_SSL_DEBUG_MSG(1,
1934 ("incoming HelloVerifyRequest message is too short"));
1935 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1936 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1937 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1938 }
1939
1940 /*
1941 * struct {
1942 * ProtocolVersion server_version;
1943 * opaque cookie<0..2^8-1>;
1944 * } HelloVerifyRequest;
1945 */
1946 MBEDTLS_SSL_DEBUG_BUF(3, "server version", p, 2);
1947 mbedtls_ssl_read_version(&major_ver, &minor_ver, ssl->conf->transport, p);
1948 p += 2;
1949
1950 /*
1951 * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1)
1952 * even is lower than our min version.
1953 */
1954 if (major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
1955 minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
1956 major_ver > ssl->conf->max_major_ver ||
1957 minor_ver > ssl->conf->max_minor_ver) {
1958 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server version"));
1959
1960 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1961 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
1962
1963 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
1964 }
1965
1966 cookie_len = *p++;
1967 if ((ssl->in_msg + ssl->in_msglen) - p < cookie_len) {
1968 MBEDTLS_SSL_DEBUG_MSG(1,
1969 ("cookie length does not match incoming message size"));
1970 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1971 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
1972 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
1973 }
1974 MBEDTLS_SSL_DEBUG_BUF(3, "cookie", p, cookie_len);
1975
1976 mbedtls_free(ssl->handshake->verify_cookie);
1977
1978 ssl->handshake->verify_cookie = mbedtls_calloc(1, cookie_len);
1979 if (ssl->handshake->verify_cookie == NULL) {
1980 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc failed (%d bytes)", cookie_len));
1981 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1982 }
1983
1984 memcpy(ssl->handshake->verify_cookie, p, cookie_len);
1985 ssl->handshake->verify_cookie_len = cookie_len;
1986
1987 /* Start over at ClientHello */
1988 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
1989 mbedtls_ssl_reset_checksum(ssl);
1990
1991 mbedtls_ssl_recv_flight_completed(ssl);
1992
1993 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse hello verify request"));
1994
1995 return 0;
1996}
1997#endif /* MBEDTLS_SSL_PROTO_DTLS */
1998
1999static int is_compression_bad(mbedtls_ssl_context *ssl, unsigned char comp)
2000{
2001 int bad_comp = 0;
2002
2003 /* Suppress warnings in some configurations */
2004 (void) ssl;
2005#if defined(MBEDTLS_ZLIB_SUPPORT)
2006 /* See comments in ssl_write_client_hello() */
2007#if defined(MBEDTLS_SSL_PROTO_DTLS)
2008 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2009 comp != MBEDTLS_SSL_COMPRESS_NULL) {
2010 bad_comp = 1;
2011 }
2012#endif
2013
2014 if (comp != MBEDTLS_SSL_COMPRESS_NULL &&
2015 comp != MBEDTLS_SSL_COMPRESS_DEFLATE) {
2016 bad_comp = 1;
2017 }
2018#else /* MBEDTLS_ZLIB_SUPPORT */
2019 if (comp != MBEDTLS_SSL_COMPRESS_NULL) {
2020 bad_comp = 1;
2021 }
2022#endif /* MBEDTLS_ZLIB_SUPPORT */
2023 return bad_comp;
2024}
2025
2026MBEDTLS_CHECK_RETURN_CRITICAL
2027static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
2028{
2029 int ret, i;
2030 size_t n;
2031 size_t ext_len;
2032 unsigned char *buf, *ext;
2033 unsigned char comp;
2034#if defined(MBEDTLS_SSL_RENEGOTIATION)
2035 int renegotiation_info_seen = 0;
2036#endif
2037 int handshake_failure = 0;
2038 const mbedtls_ssl_ciphersuite_t *suite_info;
2039
2040 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello"));
2041
2042 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
2043 /* No alert on a read error. */
2044 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
2045 return ret;
2046 }
2047
2048 buf = ssl->in_msg;
2049
2050 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
2051#if defined(MBEDTLS_SSL_RENEGOTIATION)
2052 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
2053 ssl->renego_records_seen++;
2054
2055 if (ssl->conf->renego_max_records >= 0 &&
2056 ssl->renego_records_seen > ssl->conf->renego_max_records) {
2057 MBEDTLS_SSL_DEBUG_MSG(1,
2058 ("renegotiation requested, but not honored by server"));
2059 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2060 }
2061
2062 MBEDTLS_SSL_DEBUG_MSG(1,
2063 ("non-handshake message during renegotiation"));
2064
2065 ssl->keep_current_message = 1;
2066 return MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO;
2067 }
2068#endif /* MBEDTLS_SSL_RENEGOTIATION */
2069
2070 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2071 mbedtls_ssl_send_alert_message(
2072 ssl,
2073 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2074 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
2075 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
2076 }
2077
2078#if defined(MBEDTLS_SSL_PROTO_DTLS)
2079 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2080 if (buf[0] == MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST) {
2081 MBEDTLS_SSL_DEBUG_MSG(2, ("received hello verify request"));
2082 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
2083 return ssl_parse_hello_verify_request(ssl);
2084 } else {
2085 /* We made it through the verification process */
2086 mbedtls_free(ssl->handshake->verify_cookie);
2087 ssl->handshake->verify_cookie = NULL;
2088 ssl->handshake->verify_cookie_len = 0;
2089 }
2090 }
2091#endif /* MBEDTLS_SSL_PROTO_DTLS */
2092
2093 if (ssl->in_hslen < 38 + mbedtls_ssl_hs_hdr_len(ssl) ||
2094 buf[0] != MBEDTLS_SSL_HS_SERVER_HELLO) {
2095 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2096 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2097 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2098 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2099 }
2100
2101 /*
2102 * 0 . 1 server_version
2103 * 2 . 33 random (maybe including 4 bytes of Unix time)
2104 * 34 . 34 session_id length = n
2105 * 35 . 34+n session_id
2106 * 35+n . 36+n cipher_suite
2107 * 37+n . 37+n compression_method
2108 *
2109 * 38+n . 39+n extensions length (optional)
2110 * 40+n . .. extensions
2111 */
2112 buf += mbedtls_ssl_hs_hdr_len(ssl);
2113
2114 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, version", buf + 0, 2);
2115 mbedtls_ssl_read_version(&ssl->major_ver, &ssl->minor_ver,
2116 ssl->conf->transport, buf + 0);
2117
2118 if (ssl->major_ver < ssl->conf->min_major_ver ||
2119 ssl->minor_ver < ssl->conf->min_minor_ver ||
2120 ssl->major_ver > ssl->conf->max_major_ver ||
2121 ssl->minor_ver > ssl->conf->max_minor_ver) {
2122 MBEDTLS_SSL_DEBUG_MSG(1,
2123 (
2124 "server version out of bounds - min: [%d:%d], server: [%d:%d], max: [%d:%d]",
2125 ssl->conf->min_major_ver,
2126 ssl->conf->min_minor_ver,
2127 ssl->major_ver, ssl->minor_ver,
2128 ssl->conf->max_major_ver,
2129 ssl->conf->max_minor_ver));
2130
2131 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2132 MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION);
2133
2134 return MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION;
2135 }
2136
2137 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, current time: %lu",
2138 ((unsigned long) buf[2] << 24) |
2139 ((unsigned long) buf[3] << 16) |
2140 ((unsigned long) buf[4] << 8) |
2141 ((unsigned long) buf[5])));
2142
2143 memcpy(ssl->handshake->randbytes + 32, buf + 2, 32);
2144
2145 n = buf[34];
2146
2147 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, random bytes", buf + 2, 32);
2148
2149 if (n > 32) {
2150 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2151 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2152 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2153 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2154 }
2155
2156 if (ssl->in_hslen > mbedtls_ssl_hs_hdr_len(ssl) + 39 + n) {
2157 ext_len = ((buf[38 + n] << 8)
2158 | (buf[39 + n]));
2159
2160 if ((ext_len > 0 && ext_len < 4) ||
2161 ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 40 + n + ext_len) {
2162 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2163 mbedtls_ssl_send_alert_message(
2164 ssl,
2165 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2166 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2167 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2168 }
2169 } else if (ssl->in_hslen == mbedtls_ssl_hs_hdr_len(ssl) + 38 + n) {
2170 ext_len = 0;
2171 } else {
2172 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2173 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2174 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2175 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2176 }
2177
2178 /* ciphersuite (used later) */
2179 i = (buf[35 + n] << 8) | buf[36 + n];
2180
2181 /*
2182 * Read and check compression
2183 */
2184 comp = buf[37 + n];
2185
2186 if (is_compression_bad(ssl, comp)) {
2187 MBEDTLS_SSL_DEBUG_MSG(1,
2188 ("server hello, bad compression: %d", comp));
2189 mbedtls_ssl_send_alert_message(
2190 ssl,
2191 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2192 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2193 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2194 }
2195
2196 /*
2197 * Initialize update checksum functions
2198 */
2199 ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(i);
2200 if (ssl->handshake->ciphersuite_info == NULL) {
2201 MBEDTLS_SSL_DEBUG_MSG(1,
2202 ("ciphersuite info for %04x not found", (unsigned int) i));
2203 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2204 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
2205 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2206 }
2207
2208 mbedtls_ssl_optimize_checksum(ssl, ssl->handshake->ciphersuite_info);
2209
2210 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, session id len.: %" MBEDTLS_PRINTF_SIZET, n));
2211 MBEDTLS_SSL_DEBUG_BUF(3, "server hello, session id", buf + 35, n);
2212
2213 /*
2214 * Check if the session can be resumed
2215 */
2216 if (ssl->handshake->resume == 0 || n == 0 ||
2217#if defined(MBEDTLS_SSL_RENEGOTIATION)
2218 ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
2219#endif
2220 ssl->session_negotiate->ciphersuite != i ||
2221 ssl->session_negotiate->compression != comp ||
2222 ssl->session_negotiate->id_len != n ||
2223 memcmp(ssl->session_negotiate->id, buf + 35, n) != 0) {
2224 ssl->state++;
2225 ssl->handshake->resume = 0;
2226#if defined(MBEDTLS_HAVE_TIME)
2227 ssl->session_negotiate->start = mbedtls_time(NULL);
2228#endif
2229 ssl->session_negotiate->ciphersuite = i;
2230 ssl->session_negotiate->compression = comp;
2231 ssl->session_negotiate->id_len = n;
2232 memcpy(ssl->session_negotiate->id, buf + 35, n);
2233 } else {
2234 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
2235 }
2236
2237 MBEDTLS_SSL_DEBUG_MSG(3, ("%s session has been resumed",
2238 ssl->handshake->resume ? "a" : "no"));
2239
2240 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: %04x", (unsigned) i));
2241 MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, compress alg.: %d",
2242 buf[37 + n]));
2243
2244 /*
2245 * Perform cipher suite validation in same way as in ssl_write_client_hello.
2246 */
2247 i = 0;
2248 while (1) {
2249 if (ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0) {
2250 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2251 mbedtls_ssl_send_alert_message(
2252 ssl,
2253 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2254 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2255 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2256 }
2257
2258 if (ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
2259 ssl->session_negotiate->ciphersuite) {
2260 break;
2261 }
2262 }
2263
2264 suite_info = mbedtls_ssl_ciphersuite_from_id(
2265 ssl->session_negotiate->ciphersuite);
2266 if (ssl_validate_ciphersuite(suite_info, ssl, ssl->minor_ver,
2267 ssl->minor_ver) != 0) {
2268 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2269 mbedtls_ssl_send_alert_message(
2270 ssl,
2271 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2272 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2273 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2274 }
2275
2276 MBEDTLS_SSL_DEBUG_MSG(3,
2277 ("server hello, chosen ciphersuite: %s", suite_info->name));
2278
2279#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2280 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
2281 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
2282 ssl->handshake->ecrs_enabled = 1;
2283 }
2284#endif
2285
2286 if (comp != MBEDTLS_SSL_COMPRESS_NULL
2287#if defined(MBEDTLS_ZLIB_SUPPORT)
2288 && comp != MBEDTLS_SSL_COMPRESS_DEFLATE
2289#endif
2290 ) {
2291 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2292 mbedtls_ssl_send_alert_message(
2293 ssl,
2294 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2295 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
2296 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2297 }
2298 ssl->session_negotiate->compression = comp;
2299
2300 ext = buf + 40 + n;
2301
2302 MBEDTLS_SSL_DEBUG_MSG(2,
2303 ("server hello, total extension length: %" MBEDTLS_PRINTF_SIZET,
2304 ext_len));
2305
2306 while (ext_len) {
2307 unsigned int ext_id = ((ext[0] << 8)
2308 | (ext[1]));
2309 unsigned int ext_size = ((ext[2] << 8)
2310 | (ext[3]));
2311
2312 if (ext_size + 4 > ext_len) {
2313 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2314 mbedtls_ssl_send_alert_message(
2315 ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2316 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
2317 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2318 }
2319
2320 switch (ext_id) {
2321 case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
2322 MBEDTLS_SSL_DEBUG_MSG(3, ("found renegotiation extension"));
2323#if defined(MBEDTLS_SSL_RENEGOTIATION)
2324 renegotiation_info_seen = 1;
2325#endif
2326
2327 if ((ret = ssl_parse_renegotiation_info(ssl, ext + 4,
2328 ext_size)) != 0) {
2329 return ret;
2330 }
2331
2332 break;
2333
2334#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2335 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
2336 MBEDTLS_SSL_DEBUG_MSG(3,
2337 ("found max_fragment_length extension"));
2338
2339 if ((ret = ssl_parse_max_fragment_length_ext(ssl,
2340 ext + 4, ext_size)) != 0) {
2341 return ret;
2342 }
2343
2344 break;
2345#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2346
2347#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
2348 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
2349 MBEDTLS_SSL_DEBUG_MSG(3, ("found truncated_hmac extension"));
2350
2351 if ((ret = ssl_parse_truncated_hmac_ext(ssl,
2352 ext + 4, ext_size)) != 0) {
2353 return ret;
2354 }
2355
2356 break;
2357#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
2358
2359#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2360 case MBEDTLS_TLS_EXT_CID:
2361 MBEDTLS_SSL_DEBUG_MSG(3, ("found CID extension"));
2362
2363 if ((ret = ssl_parse_cid_ext(ssl,
2364 ext + 4,
2365 ext_size)) != 0) {
2366 return ret;
2367 }
2368
2369 break;
2370#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2371
2372#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2373 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
2374 MBEDTLS_SSL_DEBUG_MSG(3, ("found encrypt_then_mac extension"));
2375
2376 if ((ret = ssl_parse_encrypt_then_mac_ext(ssl,
2377 ext + 4, ext_size)) != 0) {
2378 return ret;
2379 }
2380
2381 break;
2382#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2383
2384#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2385 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
2386 MBEDTLS_SSL_DEBUG_MSG(3,
2387 ("found extended_master_secret extension"));
2388
2389 if ((ret = ssl_parse_extended_ms_ext(ssl,
2390 ext + 4, ext_size)) != 0) {
2391 return ret;
2392 }
2393
2394 break;
2395#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
2396
2397#if defined(MBEDTLS_SSL_SESSION_TICKETS)
2398 case MBEDTLS_TLS_EXT_SESSION_TICKET:
2399 MBEDTLS_SSL_DEBUG_MSG(3, ("found session_ticket extension"));
2400
2401 if ((ret = ssl_parse_session_ticket_ext(ssl,
2402 ext + 4, ext_size)) != 0) {
2403 return ret;
2404 }
2405
2406 break;
2407#endif /* MBEDTLS_SSL_SESSION_TICKETS */
2408
2409#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
2410 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2411 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
2412 MBEDTLS_SSL_DEBUG_MSG(3,
2413 ("found supported_point_formats extension"));
2414
2415 if ((ret = ssl_parse_supported_point_formats_ext(ssl,
2416 ext + 4, ext_size)) != 0) {
2417 return ret;
2418 }
2419
2420 break;
2421#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
2422 MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2423
2424#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2425 case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
2426 MBEDTLS_SSL_DEBUG_MSG(3, ("found ecjpake_kkpp extension"));
2427
2428 if ((ret = ssl_parse_ecjpake_kkpp(ssl,
2429 ext + 4, ext_size)) != 0) {
2430 return ret;
2431 }
2432
2433 break;
2434#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2435
2436#if defined(MBEDTLS_SSL_ALPN)
2437 case MBEDTLS_TLS_EXT_ALPN:
2438 MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
2439
2440 if ((ret = ssl_parse_alpn_ext(ssl, ext + 4, ext_size)) != 0) {
2441 return ret;
2442 }
2443
2444 break;
2445#endif /* MBEDTLS_SSL_ALPN */
2446
2447#if defined(MBEDTLS_SSL_DTLS_SRTP)
2448 case MBEDTLS_TLS_EXT_USE_SRTP:
2449 MBEDTLS_SSL_DEBUG_MSG(3, ("found use_srtp extension"));
2450
2451 if ((ret = ssl_parse_use_srtp_ext(ssl, ext + 4, ext_size)) != 0) {
2452 return ret;
2453 }
2454
2455 break;
2456#endif /* MBEDTLS_SSL_DTLS_SRTP */
2457
2458 default:
2459 MBEDTLS_SSL_DEBUG_MSG(3,
2460 ("unknown extension found: %u (ignoring)", ext_id));
2461 }
2462
2463 ext_len -= 4 + ext_size;
2464 ext += 4 + ext_size;
2465
2466 if (ext_len > 0 && ext_len < 4) {
2467 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello message"));
2468 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2469 }
2470 }
2471
2472 /*
2473 * mbedtls_ssl_derive_keys() has to be called after the parsing of the
2474 * extensions. It sets the transform data for the resumed session which in
2475 * case of DTLS includes the server CID extracted from the CID extension.
2476 */
2477 if (ssl->handshake->resume) {
2478 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
2479 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
2480 mbedtls_ssl_send_alert_message(
2481 ssl,
2482 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2483 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
2484 return ret;
2485 }
2486 }
2487
2488 /*
2489 * Renegotiation security checks
2490 */
2491 if (ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2492 ssl->conf->allow_legacy_renegotiation ==
2493 MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE) {
2494 MBEDTLS_SSL_DEBUG_MSG(1,
2495 ("legacy renegotiation, breaking off handshake"));
2496 handshake_failure = 1;
2497 }
2498#if defined(MBEDTLS_SSL_RENEGOTIATION)
2499 else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2500 ssl->secure_renegotiation == MBEDTLS_SSL_SECURE_RENEGOTIATION &&
2501 renegotiation_info_seen == 0) {
2502 MBEDTLS_SSL_DEBUG_MSG(1,
2503 ("renegotiation_info extension missing (secure)"));
2504 handshake_failure = 1;
2505 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2506 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2507 ssl->conf->allow_legacy_renegotiation ==
2508 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION) {
2509 MBEDTLS_SSL_DEBUG_MSG(1, ("legacy renegotiation not allowed"));
2510 handshake_failure = 1;
2511 } else if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
2512 ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
2513 renegotiation_info_seen == 1) {
2514 MBEDTLS_SSL_DEBUG_MSG(1,
2515 ("renegotiation_info extension present (legacy)"));
2516 handshake_failure = 1;
2517 }
2518#endif /* MBEDTLS_SSL_RENEGOTIATION */
2519
2520 if (handshake_failure == 1) {
2521 mbedtls_ssl_send_alert_message(
2522 ssl,
2523 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2524 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
2525 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO;
2526 }
2527
2528 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello"));
2529
2530 return 0;
2531}
2532
2533#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2534 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
2535MBEDTLS_CHECK_RETURN_CRITICAL
2536static int ssl_parse_server_dh_params(mbedtls_ssl_context *ssl,
2537 unsigned char **p,
2538 unsigned char *end)
2539{
2540 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2541 size_t dhm_actual_bitlen;
2542
2543 /*
2544 * Ephemeral DH parameters:
2545 *
2546 * struct {
2547 * opaque dh_p<1..2^16-1>;
2548 * opaque dh_g<1..2^16-1>;
2549 * opaque dh_Ys<1..2^16-1>;
2550 * } ServerDHParams;
2551 */
2552 if ((ret = mbedtls_dhm_read_params(&ssl->handshake->dhm_ctx,
2553 p, end)) != 0) {
2554 MBEDTLS_SSL_DEBUG_RET(2, ("mbedtls_dhm_read_params"), ret);
2555 return ret;
2556 }
2557
2558 dhm_actual_bitlen = mbedtls_mpi_bitlen(&ssl->handshake->dhm_ctx.P);
2559 if (dhm_actual_bitlen < ssl->conf->dhm_min_bitlen) {
2560 MBEDTLS_SSL_DEBUG_MSG(1, ("DHM prime too short: %" MBEDTLS_PRINTF_SIZET " < %u",
2561 dhm_actual_bitlen,
2562 ssl->conf->dhm_min_bitlen));
2563 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2564 }
2565
2566 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: P ", &ssl->handshake->dhm_ctx.P);
2567 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: G ", &ssl->handshake->dhm_ctx.G);
2568 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GY", &ssl->handshake->dhm_ctx.GY);
2569
2570 return ret;
2571}
2572#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2573 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
2574
2575#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2576 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2577 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
2578 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2579 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2580MBEDTLS_CHECK_RETURN_CRITICAL
2581static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl)
2582{
2583 const mbedtls_ecp_curve_info *curve_info;
2584 mbedtls_ecp_group_id grp_id;
2585#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
2586 grp_id = ssl->handshake->ecdh_ctx.grp.id;
2587#else
2588 grp_id = ssl->handshake->ecdh_ctx.grp_id;
2589#endif /* MBEDTLS_ECDH_LEGACY_CONTEXT */
2590
2591 curve_info = mbedtls_ecp_curve_info_from_grp_id(grp_id);
2592 if (curve_info == NULL) {
2593 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2594 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2595 }
2596
2597 MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s", curve_info->name));
2598
2599#if defined(MBEDTLS_ECP_C)
2600 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
2601 return -1;
2602 }
2603#else
2604 if (ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
2605 ssl->handshake->ecdh_ctx.grp.nbits > 521) {
2606 return -1;
2607 }
2608#endif /* MBEDTLS_ECP_C */
2609
2610 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
2611 MBEDTLS_DEBUG_ECDH_QP);
2612
2613 return 0;
2614}
2615#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2616 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2617 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
2618 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
2619 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2620
2621#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
2622 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2623 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
2624MBEDTLS_CHECK_RETURN_CRITICAL
2625static int ssl_parse_server_ecdh_params_psa(mbedtls_ssl_context *ssl,
2626 unsigned char **p,
2627 unsigned char *end)
2628{
2629 uint16_t tls_id;
2630 size_t ecdh_bits = 0;
2631 uint8_t ecpoint_len;
2632 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
2633
2634 /*
2635 * Parse ECC group
2636 */
2637
2638 if (end - *p < 4) {
2639 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2640 }
2641
2642 /* First byte is curve_type; only named_curve is handled */
2643 if (*(*p)++ != MBEDTLS_ECP_TLS_NAMED_CURVE) {
2644 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2645 }
2646
2647 /* Next two bytes are the namedcurve value */
2648 tls_id = *(*p)++;
2649 tls_id <<= 8;
2650 tls_id |= *(*p)++;
2651
2652 /* Check it's a curve we offered */
2653 if (mbedtls_ssl_check_curve_tls_id(ssl, tls_id) != 0) {
2654 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2655 }
2656
2657 /* Convert EC group to PSA key type. */
2658 if ((handshake->ecdh_psa_type =
2659 mbedtls_psa_parse_tls_ecc_group(tls_id, &ecdh_bits)) == 0) {
2660 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2661 }
2662 if (ecdh_bits > 0xffff) {
2663 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2664 }
2665 handshake->ecdh_bits = (uint16_t) ecdh_bits;
2666
2667 /*
2668 * Put peer's ECDH public key in the format understood by PSA.
2669 */
2670
2671 ecpoint_len = *(*p)++;
2672 if ((size_t) (end - *p) < ecpoint_len) {
2673 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2674 }
2675
2676 if (mbedtls_psa_tls_ecpoint_to_psa_ec(
2677 *p, ecpoint_len,
2678 handshake->ecdh_psa_peerkey,
2679 sizeof(handshake->ecdh_psa_peerkey),
2680 &handshake->ecdh_psa_peerkey_len) != 0) {
2681 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2682 }
2683
2684 *p += ecpoint_len;
2685 return 0;
2686}
2687#endif /* MBEDTLS_USE_PSA_CRYPTO &&
2688 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2689 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
2690
2691#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2692 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
2693 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
2694MBEDTLS_CHECK_RETURN_CRITICAL
2695static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
2696 unsigned char **p,
2697 unsigned char *end)
2698{
2699 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2700
2701 /*
2702 * Ephemeral ECDH parameters:
2703 *
2704 * struct {
2705 * ECParameters curve_params;
2706 * ECPoint public;
2707 * } ServerECDHParams;
2708 */
2709 if ((ret = mbedtls_ecdh_read_params(&ssl->handshake->ecdh_ctx,
2710 (const unsigned char **) p, end)) != 0) {
2711 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_read_params"), ret);
2712#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2713 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
2714 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
2715 }
2716#endif
2717 return ret;
2718 }
2719
2720 if (ssl_check_server_ecdh_params(ssl) != 0) {
2721 MBEDTLS_SSL_DEBUG_MSG(1,
2722 ("bad server key exchange message (ECDHE curve)"));
2723 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2724 }
2725
2726 return ret;
2727}
2728#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2729 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
2730 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
2731
2732#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
2733MBEDTLS_CHECK_RETURN_CRITICAL
2734static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl,
2735 unsigned char **p,
2736 unsigned char *end)
2737{
2738 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2739 uint16_t len;
2740 ((void) ssl);
2741
2742 /*
2743 * PSK parameters:
2744 *
2745 * opaque psk_identity_hint<0..2^16-1>;
2746 */
2747 if (end - (*p) < 2) {
2748 MBEDTLS_SSL_DEBUG_MSG(1,
2749 ("bad server key exchange message (psk_identity_hint length)"));
2750 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2751 }
2752 len = (*p)[0] << 8 | (*p)[1];
2753 *p += 2;
2754
2755 if (end - (*p) < len) {
2756 MBEDTLS_SSL_DEBUG_MSG(1,
2757 ("bad server key exchange message (psk_identity_hint length)"));
2758 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2759 }
2760
2761 /*
2762 * Note: we currently ignore the PSK identity hint, as we only allow one
2763 * PSK to be provisioned on the client. This could be changed later if
2764 * someone needs that feature.
2765 */
2766 *p += len;
2767 ret = 0;
2768
2769 return ret;
2770}
2771#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
2772
2773#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
2774 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
2775/*
2776 * Generate a pre-master secret and encrypt it with the server's RSA key
2777 */
2778MBEDTLS_CHECK_RETURN_CRITICAL
2779static int ssl_write_encrypted_pms(mbedtls_ssl_context *ssl,
2780 size_t offset, size_t *olen,
2781 size_t pms_offset)
2782{
2783 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2784 size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
2785 unsigned char *p = ssl->handshake->premaster + pms_offset;
2786 mbedtls_pk_context *peer_pk;
2787
2788 if (offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2789 MBEDTLS_SSL_DEBUG_MSG(1, ("buffer too small for encrypted pms"));
2790 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2791 }
2792
2793 /*
2794 * Generate (part of) the pre-master as
2795 * struct {
2796 * ProtocolVersion client_version;
2797 * opaque random[46];
2798 * } PreMasterSecret;
2799 */
2800 mbedtls_ssl_write_version(ssl->conf->max_major_ver,
2801 ssl->conf->max_minor_ver,
2802 ssl->conf->transport, p);
2803
2804 if ((ret = ssl->conf->f_rng(ssl->conf->p_rng, p + 2, 46)) != 0) {
2805 MBEDTLS_SSL_DEBUG_RET(1, "f_rng", ret);
2806 return ret;
2807 }
2808
2809 ssl->handshake->pmslen = 48;
2810
2811#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2812 peer_pk = &ssl->handshake->peer_pubkey;
2813#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2814 if (ssl->session_negotiate->peer_cert == NULL) {
2815 /* Should never happen */
2816 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2817 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2818 }
2819 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2820#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2821
2822 /*
2823 * Now write it out, encrypted
2824 */
2825 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_RSA)) {
2826 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate key type mismatch"));
2827 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2828 }
2829
2830 if ((ret = mbedtls_pk_encrypt(peer_pk,
2831 p, ssl->handshake->pmslen,
2832 ssl->out_msg + offset + len_bytes, olen,
2833 MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes,
2834 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
2835 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_rsa_pkcs1_encrypt", ret);
2836 return ret;
2837 }
2838
2839#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2840 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2841 if (len_bytes == 2) {
2842 MBEDTLS_PUT_UINT16_BE(*olen, ssl->out_msg, offset);
2843 *olen += 2;
2844 }
2845#endif
2846
2847#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2848 /* We don't need the peer's public key anymore. Free it. */
2849 mbedtls_pk_free(peer_pk);
2850#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2851 return 0;
2852}
2853#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
2854 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
2855
2856#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2857#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
2858 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
2859 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
2860MBEDTLS_CHECK_RETURN_CRITICAL
2861static int ssl_parse_signature_algorithm(mbedtls_ssl_context *ssl,
2862 unsigned char **p,
2863 unsigned char *end,
2864 mbedtls_md_type_t *md_alg,
2865 mbedtls_pk_type_t *pk_alg)
2866{
2867 ((void) ssl);
2868 *md_alg = MBEDTLS_MD_NONE;
2869 *pk_alg = MBEDTLS_PK_NONE;
2870
2871 /* Only in TLS 1.2 */
2872 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
2873 return 0;
2874 }
2875
2876 if ((*p) + 2 > end) {
2877 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2878 }
2879
2880 /*
2881 * Get hash algorithm
2882 */
2883 if ((*md_alg = mbedtls_ssl_md_alg_from_hash((*p)[0]))
2884 == MBEDTLS_MD_NONE) {
2885 MBEDTLS_SSL_DEBUG_MSG(1,
2886 ("Server used unsupported HashAlgorithm %d", *(p)[0]));
2887 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2888 }
2889
2890 /*
2891 * Get signature algorithm
2892 */
2893 if ((*pk_alg = mbedtls_ssl_pk_alg_from_sig((*p)[1]))
2894 == MBEDTLS_PK_NONE) {
2895 MBEDTLS_SSL_DEBUG_MSG(1,
2896 ("server used unsupported SignatureAlgorithm %d", (*p)[1]));
2897 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2898 }
2899
2900 /*
2901 * Check if the hash is acceptable
2902 */
2903 if (mbedtls_ssl_check_sig_hash(ssl, *md_alg) != 0) {
2904 MBEDTLS_SSL_DEBUG_MSG(1,
2905 ("server used HashAlgorithm %d that was not offered", *(p)[0]));
2906 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
2907 }
2908
2909 MBEDTLS_SSL_DEBUG_MSG(2, ("Server used SignatureAlgorithm %d",
2910 (*p)[1]));
2911 MBEDTLS_SSL_DEBUG_MSG(2, ("Server used HashAlgorithm %d",
2912 (*p)[0]));
2913 *p += 2;
2914
2915 return 0;
2916}
2917#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
2918 MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
2919 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
2920#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2921
2922#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2923 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2924MBEDTLS_CHECK_RETURN_CRITICAL
2925static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
2926{
2927 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2928 const mbedtls_ecp_keypair *peer_key;
2929 mbedtls_pk_context *peer_pk;
2930
2931#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2932 peer_pk = &ssl->handshake->peer_pubkey;
2933#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2934 if (ssl->session_negotiate->peer_cert == NULL) {
2935 /* Should never happen */
2936 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
2937 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2938 }
2939 peer_pk = &ssl->session_negotiate->peer_cert->pk;
2940#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2941
2942 /* This is a public key, so it can't be opaque, so can_do() is a good
2943 * enough check to ensure pk_ec() is safe to use below. */
2944 if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) {
2945 MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable"));
2946 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
2947 }
2948
2949 peer_key = mbedtls_pk_ec(*peer_pk);
2950
2951 if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, peer_key,
2952 MBEDTLS_ECDH_THEIRS)) != 0) {
2953 MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret);
2954 return ret;
2955 }
2956
2957 if (ssl_check_server_ecdh_params(ssl) != 0) {
2958 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));
2959 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
2960 }
2961
2962#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2963 /* We don't need the peer's public key anymore. Free it,
2964 * so that more RAM is available for upcoming expensive
2965 * operations like ECDHE. */
2966 mbedtls_pk_free(peer_pk);
2967#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2968
2969 return ret;
2970}
2971#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
2972 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
2973
2974MBEDTLS_CHECK_RETURN_CRITICAL
2975static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl)
2976{
2977 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2978 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2979 ssl->handshake->ciphersuite_info;
2980 unsigned char *p = NULL, *end = NULL;
2981
2982 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange"));
2983
2984#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
2985 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
2986 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
2987 ssl->state++;
2988 return 0;
2989 }
2990 ((void) p);
2991 ((void) end);
2992#endif
2993
2994#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
2995 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
2996 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
2997 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
2998 if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) {
2999 MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret);
3000 mbedtls_ssl_send_alert_message(
3001 ssl,
3002 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3003 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
3004 return ret;
3005 }
3006
3007 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange"));
3008 ssl->state++;
3009 return 0;
3010 }
3011 ((void) p);
3012 ((void) end);
3013#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3014 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3015
3016#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3017 if (ssl->handshake->ecrs_enabled &&
3018 ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) {
3019 goto start_processing;
3020 }
3021#endif
3022
3023 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3024 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3025 return ret;
3026 }
3027
3028 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3029 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3030 mbedtls_ssl_send_alert_message(
3031 ssl,
3032 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3033 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3034 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3035 }
3036
3037 /*
3038 * ServerKeyExchange may be skipped with PSK and RSA-PSK when the server
3039 * doesn't use a psk_identity_hint
3040 */
3041 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE) {
3042 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3043 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3044 /* Current message is probably either
3045 * CertificateRequest or ServerHelloDone */
3046 ssl->keep_current_message = 1;
3047 goto exit;
3048 }
3049
3050 MBEDTLS_SSL_DEBUG_MSG(1,
3051 ("server key exchange message must not be skipped"));
3052 mbedtls_ssl_send_alert_message(
3053 ssl,
3054 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3055 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3056
3057 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3058 }
3059
3060#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3061 if (ssl->handshake->ecrs_enabled) {
3062 ssl->handshake->ecrs_state = ssl_ecrs_ske_start_processing;
3063 }
3064
3065start_processing:
3066#endif
3067 p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3068 end = ssl->in_msg + ssl->in_hslen;
3069 MBEDTLS_SSL_DEBUG_BUF(3, "server key exchange", p, end - p);
3070
3071#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3072 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3073 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
3074 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
3075 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3076 if (ssl_parse_server_psk_hint(ssl, &p, end) != 0) {
3077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3078 mbedtls_ssl_send_alert_message(
3079 ssl,
3080 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3081 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3082 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3083 }
3084 } /* FALLTHROUGH */
3085#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3086
3087#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
3088 defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3089 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
3090 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3091 ; /* nothing more to do */
3092 } else
3093#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
3094 MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
3095#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
3096 defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3097 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
3098 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3099 if (ssl_parse_server_dh_params(ssl, &p, end) != 0) {
3100 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3101 mbedtls_ssl_send_alert_message(
3102 ssl,
3103 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3104 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3105 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3106 }
3107 } else
3108#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
3109 MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3110#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3111 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3112 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
3113 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3114 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3115 if (ssl_parse_server_ecdh_params_psa(ssl, &p, end) != 0) {
3116 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3117 mbedtls_ssl_send_alert_message(
3118 ssl,
3119 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3120 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3121 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3122 }
3123 } else
3124#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3125 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3126 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
3127#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3128 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
3129 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
3130 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3131 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
3132 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3133 if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) {
3134 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3135 mbedtls_ssl_send_alert_message(
3136 ssl,
3137 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3138 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3139 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3140 }
3141 } else
3142#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3143 MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
3144 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
3145#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3146 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3147 ret = mbedtls_ecjpake_read_round_two(&ssl->handshake->ecjpake_ctx,
3148 p, end - p);
3149 if (ret != 0) {
3150 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_read_round_two", ret);
3151 mbedtls_ssl_send_alert_message(
3152 ssl,
3153 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3154 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3155 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3156 }
3157 } else
3158#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3159 {
3160 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3161 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3162 }
3163
3164#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
3165 if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) {
3166 size_t sig_len, hashlen;
3167#if defined(MBEDTLS_USE_PSA_CRYPTO)
3168 unsigned char hash[PSA_HASH_MAX_SIZE];
3169#else
3170 unsigned char hash[MBEDTLS_MD_MAX_SIZE];
3171#endif
3172 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3173 mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
3174 unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
3175 size_t params_len = p - params;
3176 void *rs_ctx = NULL;
3177
3178 mbedtls_pk_context *peer_pk;
3179
3180 /*
3181 * Handle the digitally-signed structure
3182 */
3183#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3184 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3185 if (ssl_parse_signature_algorithm(ssl, &p, end,
3186 &md_alg, &pk_alg) != 0) {
3187 MBEDTLS_SSL_DEBUG_MSG(1,
3188 ("bad server key exchange message"));
3189 mbedtls_ssl_send_alert_message(
3190 ssl,
3191 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3192 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3193 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3194 }
3195
3196 if (pk_alg !=
3197 mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info)) {
3198 MBEDTLS_SSL_DEBUG_MSG(1,
3199 ("bad server key exchange message"));
3200 mbedtls_ssl_send_alert_message(
3201 ssl,
3202 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3203 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER);
3204 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3205 }
3206 } else
3207#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3208#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3209 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3210 if (ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3) {
3211 pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg(ciphersuite_info);
3212
3213 /* Default hash for ECDSA is SHA-1 */
3214 if (pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE) {
3215 md_alg = MBEDTLS_MD_SHA1;
3216 }
3217 } else
3218#endif
3219 {
3220 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3221 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3222 }
3223
3224 /*
3225 * Read signature
3226 */
3227
3228 if (p > end - 2) {
3229 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3230 mbedtls_ssl_send_alert_message(
3231 ssl,
3232 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3233 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3234 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3235 }
3236 sig_len = (p[0] << 8) | p[1];
3237 p += 2;
3238
3239 if (p != end - sig_len) {
3240 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3241 mbedtls_ssl_send_alert_message(
3242 ssl,
3243 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3244 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3245 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE;
3246 }
3247
3248 MBEDTLS_SSL_DEBUG_BUF(3, "signature", p, sig_len);
3249
3250 /*
3251 * Compute the hash that has been signed
3252 */
3253#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
3254 defined(MBEDTLS_SSL_PROTO_TLS1_1)
3255 if (md_alg == MBEDTLS_MD_NONE) {
3256 hashlen = 36;
3257 ret = mbedtls_ssl_get_key_exchange_md_ssl_tls(ssl, hash, params,
3258 params_len);
3259 if (ret != 0) {
3260 return ret;
3261 }
3262 } else
3263#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
3264 MBEDTLS_SSL_PROTO_TLS1_1 */
3265#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3266 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3267 if (md_alg != MBEDTLS_MD_NONE) {
3268 ret = mbedtls_ssl_get_key_exchange_md_tls1_2(ssl, hash, &hashlen,
3269 params, params_len,
3270 md_alg);
3271 if (ret != 0) {
3272 return ret;
3273 }
3274 } else
3275#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
3276 MBEDTLS_SSL_PROTO_TLS1_2 */
3277 {
3278 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3279 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3280 }
3281
3282 MBEDTLS_SSL_DEBUG_BUF(3, "parameters hash", hash, hashlen);
3283
3284#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3285 peer_pk = &ssl->handshake->peer_pubkey;
3286#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3287 if (ssl->session_negotiate->peer_cert == NULL) {
3288 /* Should never happen */
3289 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3290 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3291 }
3292 peer_pk = &ssl->session_negotiate->peer_cert->pk;
3293#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3294
3295 /*
3296 * Verify signature
3297 */
3298 if (!mbedtls_pk_can_do(peer_pk, pk_alg)) {
3299 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message"));
3300 mbedtls_ssl_send_alert_message(
3301 ssl,
3302 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3303 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
3304 return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH;
3305 }
3306
3307#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3308 if (ssl->handshake->ecrs_enabled) {
3309 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
3310 }
3311#endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */
3312
3313 if ((ret = mbedtls_pk_verify_restartable(peer_pk,
3314 md_alg, hash, hashlen, p, sig_len, rs_ctx)) != 0) {
3315#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3316 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3317 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3318 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3319 }
3320#endif /* MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED */
3321 mbedtls_ssl_send_alert_message(
3322 ssl,
3323 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3324 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
3325 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify", ret);
3326 return ret;
3327 }
3328
3329#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3330 /* We don't need the peer's public key anymore. Free it,
3331 * so that more RAM is available for upcoming expensive
3332 * operations like ECDHE. */
3333 mbedtls_pk_free(peer_pk);
3334#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3335 }
3336#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
3337
3338exit:
3339 ssl->state++;
3340
3341 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server key exchange"));
3342
3343 return 0;
3344}
3345
3346#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3347MBEDTLS_CHECK_RETURN_CRITICAL
3348static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
3349{
3350 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3351 ssl->handshake->ciphersuite_info;
3352
3353 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
3354
3355 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3356 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
3357 ssl->state++;
3358 return 0;
3359 }
3360
3361 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3362 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3363}
3364#else /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3365MBEDTLS_CHECK_RETURN_CRITICAL
3366static int ssl_parse_certificate_request(mbedtls_ssl_context *ssl)
3367{
3368 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3369 unsigned char *buf;
3370 size_t n = 0;
3371 size_t cert_type_len = 0, dn_len = 0;
3372 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3373 ssl->handshake->ciphersuite_info;
3374
3375 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate request"));
3376
3377 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3378 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate request"));
3379 ssl->state++;
3380 return 0;
3381 }
3382
3383 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3384 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3385 return ret;
3386 }
3387
3388 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3389 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3390 mbedtls_ssl_send_alert_message(
3391 ssl,
3392 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3393 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
3394 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3395 }
3396
3397 ssl->state++;
3398 ssl->client_auth = (ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST);
3399
3400 MBEDTLS_SSL_DEBUG_MSG(3, ("got %s certificate request",
3401 ssl->client_auth ? "a" : "no"));
3402
3403 if (ssl->client_auth == 0) {
3404 /* Current message is probably the ServerHelloDone */
3405 ssl->keep_current_message = 1;
3406 goto exit;
3407 }
3408
3409 /*
3410 * struct {
3411 * ClientCertificateType certificate_types<1..2^8-1>;
3412 * SignatureAndHashAlgorithm
3413 * supported_signature_algorithms<2^16-1>; -- TLS 1.2 only
3414 * DistinguishedName certificate_authorities<0..2^16-1>;
3415 * } CertificateRequest;
3416 *
3417 * Since we only support a single certificate on clients, let's just
3418 * ignore all the information that's supposed to help us pick a
3419 * certificate.
3420 *
3421 * We could check that our certificate matches the request, and bail out
3422 * if it doesn't, but it's simpler to just send the certificate anyway,
3423 * and give the server the opportunity to decide if it should terminate
3424 * the connection when it doesn't like our certificate.
3425 *
3426 * Same goes for the hash in TLS 1.2's signature_algorithms: at this
3427 * point we only have one hash available (see comments in
3428 * write_certificate_verify), so let's just use what we have.
3429 *
3430 * However, we still minimally parse the message to check it is at least
3431 * superficially sane.
3432 */
3433 buf = ssl->in_msg;
3434
3435 /* certificate_types */
3436 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)) {
3437 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3438 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3439 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3440 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
3441 }
3442 cert_type_len = buf[mbedtls_ssl_hs_hdr_len(ssl)];
3443 n = cert_type_len;
3444
3445 /*
3446 * In the subsequent code there are two paths that read from buf:
3447 * * the length of the signature algorithms field (if minor version of
3448 * SSL is 3),
3449 * * distinguished name length otherwise.
3450 * Both reach at most the index:
3451 * ...hdr_len + 2 + n,
3452 * therefore the buffer length at this point must be greater than that
3453 * regardless of the actual code path.
3454 */
3455 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl) + 2 + n) {
3456 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3457 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3458 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3459 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
3460 }
3461
3462 /* supported_signature_algorithms */
3463#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3464 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
3465 size_t sig_alg_len =
3466 ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
3467 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
3468#if defined(MBEDTLS_DEBUG_C)
3469 unsigned char *sig_alg;
3470 size_t i;
3471#endif
3472
3473 /*
3474 * The furthest access in buf is in the loop few lines below:
3475 * sig_alg[i + 1],
3476 * where:
3477 * sig_alg = buf + ...hdr_len + 3 + n,
3478 * max(i) = sig_alg_len - 1.
3479 * Therefore the furthest access is:
3480 * buf[...hdr_len + 3 + n + sig_alg_len - 1 + 1],
3481 * which reduces to:
3482 * buf[...hdr_len + 3 + n + sig_alg_len],
3483 * which is one less than we need the buf to be.
3484 */
3485 if (ssl->in_hslen <= mbedtls_ssl_hs_hdr_len(ssl)
3486 + 3 + n + sig_alg_len) {
3487 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3488 mbedtls_ssl_send_alert_message(
3489 ssl,
3490 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3491 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3492 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
3493 }
3494
3495#if defined(MBEDTLS_DEBUG_C)
3496 sig_alg = buf + mbedtls_ssl_hs_hdr_len(ssl) + 3 + n;
3497 for (i = 0; i < sig_alg_len; i += 2) {
3498 MBEDTLS_SSL_DEBUG_MSG(3,
3499 ("Supported Signature Algorithm found: %d,%d",
3500 sig_alg[i], sig_alg[i + 1]));
3501 }
3502#endif
3503
3504 n += 2 + sig_alg_len;
3505 }
3506#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3507
3508 /* certificate_authorities */
3509 dn_len = ((buf[mbedtls_ssl_hs_hdr_len(ssl) + 1 + n] << 8)
3510 | (buf[mbedtls_ssl_hs_hdr_len(ssl) + 2 + n]));
3511
3512 n += dn_len;
3513 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + 3 + n) {
3514 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate request message"));
3515 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3516 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3517 return MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST;
3518 }
3519
3520exit:
3521 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate request"));
3522
3523 return 0;
3524}
3525#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3526
3527MBEDTLS_CHECK_RETURN_CRITICAL
3528static int ssl_parse_server_hello_done(mbedtls_ssl_context *ssl)
3529{
3530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3531
3532 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server hello done"));
3533
3534 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
3535 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
3536 return ret;
3537 }
3538
3539 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
3540 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
3541 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
3542 }
3543
3544 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) ||
3545 ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO_DONE) {
3546 MBEDTLS_SSL_DEBUG_MSG(1, ("bad server hello done message"));
3547 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
3548 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
3549 return MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE;
3550 }
3551
3552 ssl->state++;
3553
3554#if defined(MBEDTLS_SSL_PROTO_DTLS)
3555 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3556 mbedtls_ssl_recv_flight_completed(ssl);
3557 }
3558#endif
3559
3560 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse server hello done"));
3561
3562 return 0;
3563}
3564
3565MBEDTLS_CHECK_RETURN_CRITICAL
3566static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl)
3567{
3568 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3569
3570 size_t header_len;
3571 size_t content_len;
3572 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3573 ssl->handshake->ciphersuite_info;
3574
3575 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange"));
3576
3577#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
3578 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA) {
3579 /*
3580 * DHM key exchange -- send G^X mod P
3581 */
3582 content_len = ssl->handshake->dhm_ctx.len;
3583
3584 MBEDTLS_PUT_UINT16_BE(content_len, ssl->out_msg, 4);
3585 header_len = 6;
3586
3587 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3588 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3589 &ssl->out_msg[header_len], content_len,
3590 ssl->conf->f_rng, ssl->conf->p_rng);
3591 if (ret != 0) {
3592 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3593 return ret;
3594 }
3595
3596 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: X ", &ssl->handshake->dhm_ctx.X);
3597 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: GX", &ssl->handshake->dhm_ctx.GX);
3598
3599 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
3600 ssl->handshake->premaster,
3601 MBEDTLS_PREMASTER_SIZE,
3602 &ssl->handshake->pmslen,
3603 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3604 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
3605 return ret;
3606 }
3607
3608 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
3609 } else
3610#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
3611#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3612 (defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3613 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED))
3614 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3615 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) {
3616 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
3617 psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED;
3618 psa_key_attributes_t key_attributes;
3619
3620 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
3621
3622 unsigned char own_pubkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
3623 size_t own_pubkey_len;
3624 unsigned char *own_pubkey_ecpoint;
3625 size_t own_pubkey_ecpoint_len;
3626
3627 header_len = 4;
3628
3629 MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
3630
3631 /*
3632 * Generate EC private key for ECDHE exchange.
3633 */
3634
3635 /* The master secret is obtained from the shared ECDH secret by
3636 * applying the TLS 1.2 PRF with a specific salt and label. While
3637 * the PSA Crypto API encourages combining key agreement schemes
3638 * such as ECDH with fixed KDFs such as TLS 1.2 PRF, it does not
3639 * yet support the provisioning of salt + label to the KDF.
3640 * For the time being, we therefore need to split the computation
3641 * of the ECDH secret and the application of the TLS 1.2 PRF. */
3642 key_attributes = psa_key_attributes_init();
3643 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
3644 psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH);
3645 psa_set_key_type(&key_attributes, handshake->ecdh_psa_type);
3646 psa_set_key_bits(&key_attributes, handshake->ecdh_bits);
3647
3648 /* Generate ECDH private key. */
3649 status = psa_generate_key(&key_attributes,
3650 &handshake->ecdh_psa_privkey);
3651 if (status != PSA_SUCCESS) {
3652 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3653 }
3654
3655 /* Export the public part of the ECDH private key from PSA
3656 * and convert it to ECPoint format used in ClientKeyExchange. */
3657 status = psa_export_public_key(handshake->ecdh_psa_privkey,
3658 own_pubkey, sizeof(own_pubkey),
3659 &own_pubkey_len);
3660 if (status != PSA_SUCCESS) {
3661 psa_destroy_key(handshake->ecdh_psa_privkey);
3662 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3663 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3664 }
3665
3666 if (mbedtls_psa_tls_psa_ec_to_ecpoint(own_pubkey,
3667 own_pubkey_len,
3668 &own_pubkey_ecpoint,
3669 &own_pubkey_ecpoint_len) != 0) {
3670 psa_destroy_key(handshake->ecdh_psa_privkey);
3671 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3672 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3673 }
3674
3675 /* Copy ECPoint structure to outgoing message buffer. */
3676 ssl->out_msg[header_len] = (unsigned char) own_pubkey_ecpoint_len;
3677 memcpy(ssl->out_msg + header_len + 1,
3678 own_pubkey_ecpoint, own_pubkey_ecpoint_len);
3679 content_len = own_pubkey_ecpoint_len + 1;
3680
3681 /* The ECDH secret is the premaster secret used for key derivation. */
3682
3683 /* Compute ECDH shared secret. */
3684 status = psa_raw_key_agreement(PSA_ALG_ECDH,
3685 handshake->ecdh_psa_privkey,
3686 handshake->ecdh_psa_peerkey,
3687 handshake->ecdh_psa_peerkey_len,
3688 ssl->handshake->premaster,
3689 sizeof(ssl->handshake->premaster),
3690 &ssl->handshake->pmslen);
3691
3692 destruction_status = psa_destroy_key(handshake->ecdh_psa_privkey);
3693 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
3694
3695 if (status != PSA_SUCCESS || destruction_status != PSA_SUCCESS) {
3696 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3697 }
3698 } else
3699#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3700 ( MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3701 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ) */
3702#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
3703 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
3704 defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
3705 defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
3706 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
3707 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
3708 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
3709 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) {
3710 /*
3711 * ECDH key exchange -- send client public value
3712 */
3713 header_len = 4;
3714
3715#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3716 if (ssl->handshake->ecrs_enabled) {
3717 if (ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret) {
3718 goto ecdh_calc_secret;
3719 }
3720
3721 mbedtls_ecdh_enable_restart(&ssl->handshake->ecdh_ctx);
3722 }
3723#endif
3724
3725 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3726 &content_len,
3727 &ssl->out_msg[header_len], 1000,
3728 ssl->conf->f_rng, ssl->conf->p_rng);
3729 if (ret != 0) {
3730 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3731#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3732 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3733 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3734 }
3735#endif
3736 return ret;
3737 }
3738
3739 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3740 MBEDTLS_DEBUG_ECDH_Q);
3741
3742#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3743 if (ssl->handshake->ecrs_enabled) {
3744 ssl->handshake->ecrs_n = content_len;
3745 ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret;
3746 }
3747
3748ecdh_calc_secret:
3749 if (ssl->handshake->ecrs_enabled) {
3750 content_len = ssl->handshake->ecrs_n;
3751 }
3752#endif
3753 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx,
3754 &ssl->handshake->pmslen,
3755 ssl->handshake->premaster,
3756 MBEDTLS_MPI_MAX_SIZE,
3757 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
3758 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
3759#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
3760 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
3761 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
3762 }
3763#endif
3764 return ret;
3765 }
3766
3767 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3768 MBEDTLS_DEBUG_ECDH_Z);
3769 } else
3770#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
3771 MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ||
3772 MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
3773 MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
3774#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3775 if (mbedtls_ssl_ciphersuite_uses_psk(ciphersuite_info)) {
3776 /*
3777 * opaque psk_identity<0..2^16-1>;
3778 */
3779 if (ssl_conf_has_static_psk(ssl->conf) == 0) {
3780 /* We don't offer PSK suites if we don't have a PSK,
3781 * and we check that the server's choice is among the
3782 * ciphersuites we offered, so this should never happen. */
3783 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3784 }
3785
3786 header_len = 4;
3787 content_len = ssl->conf->psk_identity_len;
3788
3789 if (header_len + 2 + content_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
3790 MBEDTLS_SSL_DEBUG_MSG(1,
3791 ("psk identity too long or SSL buffer too short"));
3792 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3793 }
3794
3795 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3796 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3797
3798 memcpy(ssl->out_msg + header_len,
3799 ssl->conf->psk_identity,
3800 ssl->conf->psk_identity_len);
3801 header_len += ssl->conf->psk_identity_len;
3802
3803#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3804 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) {
3805 content_len = 0;
3806 } else
3807#endif
3808#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
3809 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
3810#if defined(MBEDTLS_USE_PSA_CRYPTO)
3811 /* Opaque PSKs are currently only supported for PSK-only suites. */
3812 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3813 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with RSA-PSK"));
3814 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3815 }
3816#endif /* MBEDTLS_USE_PSA_CRYPTO */
3817
3818 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3819 &content_len, 2)) != 0) {
3820 return ret;
3821 }
3822 } else
3823#endif
3824#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
3825 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
3826#if defined(MBEDTLS_USE_PSA_CRYPTO)
3827 /* Opaque PSKs are currently only supported for PSK-only suites. */
3828 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3829 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with DHE-PSK"));
3830 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3831 }
3832#endif /* MBEDTLS_USE_PSA_CRYPTO */
3833
3834 /*
3835 * ClientDiffieHellmanPublic public (DHM send G^X mod P)
3836 */
3837 content_len = ssl->handshake->dhm_ctx.len;
3838
3839 if (header_len + 2 + content_len >
3840 MBEDTLS_SSL_OUT_CONTENT_LEN) {
3841 MBEDTLS_SSL_DEBUG_MSG(1,
3842 ("psk identity or DHM size too long or SSL buffer too short"));
3843 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3844 }
3845
3846 ssl->out_msg[header_len++] = MBEDTLS_BYTE_1(content_len);
3847 ssl->out_msg[header_len++] = MBEDTLS_BYTE_0(content_len);
3848
3849 ret = mbedtls_dhm_make_public(&ssl->handshake->dhm_ctx,
3850 (int) mbedtls_mpi_size(&ssl->handshake->dhm_ctx.P),
3851 &ssl->out_msg[header_len], content_len,
3852 ssl->conf->f_rng, ssl->conf->p_rng);
3853 if (ret != 0) {
3854 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_make_public", ret);
3855 return ret;
3856 }
3857 } else
3858#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
3859#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
3860 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
3861#if defined(MBEDTLS_USE_PSA_CRYPTO)
3862 /* Opaque PSKs are currently only supported for PSK-only suites. */
3863 if (ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3864 MBEDTLS_SSL_DEBUG_MSG(1, ("opaque PSK not supported with ECDHE-PSK"));
3865 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3866 }
3867#endif /* MBEDTLS_USE_PSA_CRYPTO */
3868
3869 /*
3870 * ClientECDiffieHellmanPublic public;
3871 */
3872 ret = mbedtls_ecdh_make_public(&ssl->handshake->ecdh_ctx,
3873 &content_len,
3874 &ssl->out_msg[header_len],
3875 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3876 ssl->conf->f_rng, ssl->conf->p_rng);
3877 if (ret != 0) {
3878 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_make_public", ret);
3879 return ret;
3880 }
3881
3882 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
3883 MBEDTLS_DEBUG_ECDH_Q);
3884 } else
3885#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
3886 {
3887 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3888 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3889 }
3890
3891#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
3892 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
3893 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
3894 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
3895 ssl_conf_has_static_raw_psk(ssl->conf) == 0) {
3896 MBEDTLS_SSL_DEBUG_MSG(1,
3897 ("skip PMS generation for opaque PSK"));
3898 } else
3899#endif /* MBEDTLS_USE_PSA_CRYPTO &&
3900 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
3901 if ((ret = mbedtls_ssl_psk_derive_premaster(ssl,
3902 ciphersuite_info->key_exchange)) != 0) {
3903 MBEDTLS_SSL_DEBUG_RET(1,
3904 "mbedtls_ssl_psk_derive_premaster", ret);
3905 return ret;
3906 }
3907 } else
3908#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3909#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
3910 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA) {
3911 header_len = 4;
3912 if ((ret = ssl_write_encrypted_pms(ssl, header_len,
3913 &content_len, 0)) != 0) {
3914 return ret;
3915 }
3916 } else
3917#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3918#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3919 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
3920 header_len = 4;
3921
3922 ret = mbedtls_ecjpake_write_round_two(&ssl->handshake->ecjpake_ctx,
3923 ssl->out_msg + header_len,
3924 MBEDTLS_SSL_OUT_CONTENT_LEN - header_len,
3925 &content_len,
3926 ssl->conf->f_rng, ssl->conf->p_rng);
3927 if (ret != 0) {
3928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_write_round_two", ret);
3929 return ret;
3930 }
3931
3932 ret = mbedtls_ecjpake_derive_secret(&ssl->handshake->ecjpake_ctx,
3933 ssl->handshake->premaster, 32, &ssl->handshake->pmslen,
3934 ssl->conf->f_rng, ssl->conf->p_rng);
3935 if (ret != 0) {
3936 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecjpake_derive_secret", ret);
3937 return ret;
3938 }
3939 } else
3940#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
3941 {
3942 ((void) ciphersuite_info);
3943 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3944 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3945 }
3946
3947 ssl->out_msglen = header_len + content_len;
3948 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3949 ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE;
3950
3951 ssl->state++;
3952
3953 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3954 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3955 return ret;
3956 }
3957
3958 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write client key exchange"));
3959
3960 return 0;
3961}
3962
3963#if !defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3964MBEDTLS_CHECK_RETURN_CRITICAL
3965static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3966{
3967 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3968 ssl->handshake->ciphersuite_info;
3969 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3970
3971 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
3972
3973 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
3974 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
3975 return ret;
3976 }
3977
3978 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
3979 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
3980 ssl->state++;
3981 return 0;
3982 }
3983
3984 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
3985 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3986}
3987#else /* !MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
3988MBEDTLS_CHECK_RETURN_CRITICAL
3989static int ssl_write_certificate_verify(mbedtls_ssl_context *ssl)
3990{
3991 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3992 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
3993 ssl->handshake->ciphersuite_info;
3994 size_t n = 0, offset = 0;
3995 unsigned char hash[48];
3996 unsigned char *hash_start = hash;
3997 mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
3998 size_t hashlen;
3999 void *rs_ctx = NULL;
4000
4001 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
4002
4003#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4004 if (ssl->handshake->ecrs_enabled &&
4005 ssl->handshake->ecrs_state == ssl_ecrs_crt_vrfy_sign) {
4006 goto sign;
4007 }
4008#endif
4009
4010 if ((ret = mbedtls_ssl_derive_keys(ssl)) != 0) {
4011 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_derive_keys", ret);
4012 return ret;
4013 }
4014
4015 if (!mbedtls_ssl_ciphersuite_cert_req_allowed(ciphersuite_info)) {
4016 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
4017 ssl->state++;
4018 return 0;
4019 }
4020
4021 if (ssl->client_auth == 0 || mbedtls_ssl_own_cert(ssl) == NULL) {
4022 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate verify"));
4023 ssl->state++;
4024 return 0;
4025 }
4026
4027 if (mbedtls_ssl_own_key(ssl) == NULL) {
4028 MBEDTLS_SSL_DEBUG_MSG(1, ("got no private key for certificate"));
4029 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
4030 }
4031
4032 /*
4033 * Make a signature of the handshake digests
4034 */
4035#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4036 if (ssl->handshake->ecrs_enabled) {
4037 ssl->handshake->ecrs_state = ssl_ecrs_crt_vrfy_sign;
4038 }
4039
4040sign:
4041#endif
4042
4043 ssl->handshake->calc_verify(ssl, hash, &hashlen);
4044
4045#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4046 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4047 if (ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3) {
4048 /*
4049 * digitally-signed struct {
4050 * opaque md5_hash[16];
4051 * opaque sha_hash[20];
4052 * };
4053 *
4054 * md5_hash
4055 * MD5(handshake_messages);
4056 *
4057 * sha_hash
4058 * SHA(handshake_messages);
4059 */
4060 md_alg = MBEDTLS_MD_NONE;
4061
4062 /*
4063 * For ECDSA, default hash is SHA-1 only
4064 */
4065 if (mbedtls_pk_can_do(mbedtls_ssl_own_key(ssl), MBEDTLS_PK_ECDSA)) {
4066 hash_start += 16;
4067 hashlen -= 16;
4068 md_alg = MBEDTLS_MD_SHA1;
4069 }
4070 } else
4071#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
4072 MBEDTLS_SSL_PROTO_TLS1_1 */
4073#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4074 if (ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3) {
4075 /*
4076 * digitally-signed struct {
4077 * opaque handshake_messages[handshake_messages_length];
4078 * };
4079 *
4080 * Taking shortcut here. We assume that the server always allows the
4081 * PRF Hash function and has sent it in the allowed signature
4082 * algorithms list received in the Certificate Request message.
4083 *
4084 * Until we encounter a server that does not, we will take this
4085 * shortcut.
4086 *
4087 * Reason: Otherwise we should have running hashes for SHA512 and
4088 * SHA224 in order to satisfy 'weird' needs from the server
4089 * side.
4090 */
4091 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
4092 md_alg = MBEDTLS_MD_SHA384;
4093 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
4094 } else {
4095 md_alg = MBEDTLS_MD_SHA256;
4096 ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA256;
4097 }
4098 ssl->out_msg[5] = mbedtls_ssl_sig_from_pk(mbedtls_ssl_own_key(ssl));
4099
4100 /* Info from md_alg will be used instead */
4101 hashlen = 0;
4102 offset = 2;
4103 } else
4104#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4105 {
4106 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
4107 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4108 }
4109
4110#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4111 if (ssl->handshake->ecrs_enabled) {
4112 rs_ctx = &ssl->handshake->ecrs_ctx.pk;
4113 }
4114#endif
4115
4116 if ((ret = mbedtls_pk_sign_restartable(mbedtls_ssl_own_key(ssl),
4117 md_alg, hash_start, hashlen,
4118 ssl->out_msg + 6 + offset, &n,
4119 ssl->conf->f_rng, ssl->conf->p_rng, rs_ctx)) != 0) {
4120 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_sign", ret);
4121#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4122 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
4123 ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
4124 }
4125#endif
4126 return ret;
4127 }
4128
4129 MBEDTLS_PUT_UINT16_BE(n, ssl->out_msg, offset + 4);
4130
4131 ssl->out_msglen = 6 + n + offset;
4132 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4133 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
4134
4135 ssl->state++;
4136
4137 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4138 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4139 return ret;
4140 }
4141
4142 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate verify"));
4143
4144 return ret;
4145}
4146#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
4147
4148#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4149MBEDTLS_CHECK_RETURN_CRITICAL
4150static int ssl_parse_new_session_ticket(mbedtls_ssl_context *ssl)
4151{
4152 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4153 uint32_t lifetime;
4154 size_t ticket_len;
4155 unsigned char *ticket;
4156 const unsigned char *msg;
4157
4158 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse new session ticket"));
4159
4160 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
4161 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
4162 return ret;
4163 }
4164
4165 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
4166 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
4167 mbedtls_ssl_send_alert_message(
4168 ssl,
4169 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4170 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
4171 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
4172 }
4173
4174 /*
4175 * struct {
4176 * uint32 ticket_lifetime_hint;
4177 * opaque ticket<0..2^16-1>;
4178 * } NewSessionTicket;
4179 *
4180 * 0 . 3 ticket_lifetime_hint
4181 * 4 . 5 ticket_len (n)
4182 * 6 . 5+n ticket content
4183 */
4184 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ||
4185 ssl->in_hslen < 6 + mbedtls_ssl_hs_hdr_len(ssl)) {
4186 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
4187 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4188 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
4189 return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET;
4190 }
4191
4192 msg = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
4193
4194 lifetime = (((uint32_t) msg[0]) << 24) | (msg[1] << 16) |
4195 (msg[2] << 8) | (msg[3]);
4196
4197 ticket_len = (msg[4] << 8) | (msg[5]);
4198
4199 if (ticket_len + 6 + mbedtls_ssl_hs_hdr_len(ssl) != ssl->in_hslen) {
4200 MBEDTLS_SSL_DEBUG_MSG(1, ("bad new session ticket message"));
4201 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4202 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
4203 return MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET;
4204 }
4205
4206 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket length: %" MBEDTLS_PRINTF_SIZET, ticket_len));
4207
4208 /* We're not waiting for a NewSessionTicket message any more */
4209 ssl->handshake->new_session_ticket = 0;
4210 ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;
4211
4212 /*
4213 * Zero-length ticket means the server changed his mind and doesn't want
4214 * to send a ticket after all, so just forget it
4215 */
4216 if (ticket_len == 0) {
4217 return 0;
4218 }
4219
4220 if (ssl->session != NULL && ssl->session->ticket != NULL) {
4221 mbedtls_platform_zeroize(ssl->session->ticket,
4222 ssl->session->ticket_len);
4223 mbedtls_free(ssl->session->ticket);
4224 ssl->session->ticket = NULL;
4225 ssl->session->ticket_len = 0;
4226 }
4227
4228 mbedtls_platform_zeroize(ssl->session_negotiate->ticket,
4229 ssl->session_negotiate->ticket_len);
4230 mbedtls_free(ssl->session_negotiate->ticket);
4231 ssl->session_negotiate->ticket = NULL;
4232 ssl->session_negotiate->ticket_len = 0;
4233
4234 if ((ticket = mbedtls_calloc(1, ticket_len)) == NULL) {
4235 MBEDTLS_SSL_DEBUG_MSG(1, ("ticket alloc failed"));
4236 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4237 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
4238 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4239 }
4240
4241 memcpy(ticket, msg + 6, ticket_len);
4242
4243 ssl->session_negotiate->ticket = ticket;
4244 ssl->session_negotiate->ticket_len = ticket_len;
4245 ssl->session_negotiate->ticket_lifetime = lifetime;
4246
4247 /*
4248 * RFC 5077 section 3.4:
4249 * "If the client receives a session ticket from the server, then it
4250 * discards any Session ID that was sent in the ServerHello."
4251 */
4252 MBEDTLS_SSL_DEBUG_MSG(3, ("ticket in use, discarding session id"));
4253 ssl->session_negotiate->id_len = 0;
4254
4255 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse new session ticket"));
4256
4257 return 0;
4258}
4259#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4260
4261/*
4262 * SSL handshake -- client side -- single step
4263 */
4264int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
4265{
4266 int ret = 0;
4267
4268 if (ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL) {
4269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4270 }
4271
4272 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %d", ssl->state));
4273
4274 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4275 return ret;
4276 }
4277
4278#if defined(MBEDTLS_SSL_PROTO_DTLS)
4279 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4280 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4281 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4282 return ret;
4283 }
4284 }
4285#endif /* MBEDTLS_SSL_PROTO_DTLS */
4286
4287 /* Change state now, so that it is right in mbedtls_ssl_read_record(), used
4288 * by DTLS for dropping out-of-sequence ChangeCipherSpec records */
4289#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4290 if (ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
4291 ssl->handshake->new_session_ticket != 0) {
4292 ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
4293 }
4294#endif
4295
4296 switch (ssl->state) {
4297 case MBEDTLS_SSL_HELLO_REQUEST:
4298 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4299 break;
4300
4301 /*
4302 * ==> ClientHello
4303 */
4304 case MBEDTLS_SSL_CLIENT_HELLO:
4305 ret = ssl_write_client_hello(ssl);
4306 break;
4307
4308 /*
4309 * <== ServerHello
4310 * Certificate
4311 * ( ServerKeyExchange )
4312 * ( CertificateRequest )
4313 * ServerHelloDone
4314 */
4315 case MBEDTLS_SSL_SERVER_HELLO:
4316 ret = ssl_parse_server_hello(ssl);
4317 break;
4318
4319 case MBEDTLS_SSL_SERVER_CERTIFICATE:
4320 ret = mbedtls_ssl_parse_certificate(ssl);
4321 break;
4322
4323 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
4324 ret = ssl_parse_server_key_exchange(ssl);
4325 break;
4326
4327 case MBEDTLS_SSL_CERTIFICATE_REQUEST:
4328 ret = ssl_parse_certificate_request(ssl);
4329 break;
4330
4331 case MBEDTLS_SSL_SERVER_HELLO_DONE:
4332 ret = ssl_parse_server_hello_done(ssl);
4333 break;
4334
4335 /*
4336 * ==> ( Certificate/Alert )
4337 * ClientKeyExchange
4338 * ( CertificateVerify )
4339 * ChangeCipherSpec
4340 * Finished
4341 */
4342 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4343 ret = mbedtls_ssl_write_certificate(ssl);
4344 break;
4345
4346 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
4347 ret = ssl_write_client_key_exchange(ssl);
4348 break;
4349
4350 case MBEDTLS_SSL_CERTIFICATE_VERIFY:
4351 ret = ssl_write_certificate_verify(ssl);
4352 break;
4353
4354 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
4355 ret = mbedtls_ssl_write_change_cipher_spec(ssl);
4356 break;
4357
4358 case MBEDTLS_SSL_CLIENT_FINISHED:
4359 ret = mbedtls_ssl_write_finished(ssl);
4360 break;
4361
4362 /*
4363 * <== ( NewSessionTicket )
4364 * ChangeCipherSpec
4365 * Finished
4366 */
4367#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4368 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
4369 ret = ssl_parse_new_session_ticket(ssl);
4370 break;
4371#endif
4372
4373 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
4374 ret = mbedtls_ssl_parse_change_cipher_spec(ssl);
4375 break;
4376
4377 case MBEDTLS_SSL_SERVER_FINISHED:
4378 ret = mbedtls_ssl_parse_finished(ssl);
4379 break;
4380
4381 case MBEDTLS_SSL_FLUSH_BUFFERS:
4382 MBEDTLS_SSL_DEBUG_MSG(2, ("handshake: done"));
4383 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
4384 break;
4385
4386 case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
4387 mbedtls_ssl_handshake_wrapup(ssl);
4388 break;
4389
4390 default:
4391 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid state %d", ssl->state));
4392 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4393 }
4394
4395 return ret;
4396}
4397#endif /* MBEDTLS_SSL_CLI_C */
4398